CVE-2019-6790 : What You Need to Know

GitLab Community and Enterprise Edition versions 8.14 through 11.7.1 are affected by an Access Control issue that allows guest users to view merge requests.

Understanding CVE-2019-6790

This CVE involves an Incorrect Access Control vulnerability in GitLab versions 8.14 through 11.7.1.

What is CVE-2019-6790?

This vulnerability in GitLab Community and Enterprise Edition versions 8.14 through 11.7.1 allowed unauthorized guest users to access and view the merge requests list of a group.

The Impact of CVE-2019-6790

The vulnerability could lead to unauthorized access to sensitive information, potentially compromising the confidentiality of merge requests within GitLab instances.

Technical Details of CVE-2019-6790

This section provides more technical insights into the vulnerability.

Vulnerability Description

An Incorrect Access Control issue was discovered in GitLab versions 8.14 through 11.7.1, enabling guest users to view a group's merge requests list.

Affected Systems and Versions

GitLab Community and Enterprise Edition versions 8.14 through 11.5.8
GitLab Community and Enterprise Edition versions 11.6.x through 11.6.6
GitLab Community and Enterprise Edition versions 11.7.x through 11.7.1

Exploitation Mechanism

The vulnerability allowed unauthorized guest users to bypass access controls and view merge requests within a group.

Mitigation and Prevention

Protecting systems from CVE-2019-6790 requires immediate actions and long-term security practices.

Immediate Steps to Take

Update GitLab instances to versions beyond the vulnerable ranges specified.
Restrict guest user access to sensitive information within GitLab.

Long-Term Security Practices

Regularly monitor and audit access controls within GitLab instances.
Educate users on proper access management and permissions.

Patching and Updates

Apply security patches provided by GitLab to address the vulnerability and prevent unauthorized access.