Information disclosure of private project existence via improper authorization
Summary
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.1 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an unauthenticated user to determine the existence of a private project due to improper authorization controls on cross-project reference pages. A flaw was found in GitLab. This vulnerability allows an attacker to gain sensitive information about private projects. Red Hat does not ship or distribute GitLab Community Edition (CE) or Enterprise Edition (EE), the products affected by this flaw. Red Hat severity: Moderate — CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). Weakness: CWE-862. Red Hat lists OpenShift Pipelines; Red Hat OpenShift Container Platform 4 as not affected.
- < 9.1
- < 18.11.7
- < 19.0
- < 19.0.4
- < 19.1
- < 19.1.2
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- Not applicable; Red Hat products are not affected by this vulnerability.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.