Insecure Storage of Sensitive Information
CVE-2019-12825
Summary
Unauthorized Access to the Container Registry of other groups was discovered in GitLab Enterprise 12.0.0-pre. In other words, authenticated remote attackers can read Docker registries of other groups. When a legitimate user changes the path of a group, Docker registries are not adapted, leaving them in the old namespace. They are not protected and are available to all other users with no previous access to the repo.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- LOW
- LOW
- NONE
CWE-922 - Insecure Storage of Sensitive Information
The software stores sensitive information without properly limiting read or write access by unauthorized actors.
References
Advisory Timeline
- Published