Commit 82c7a9c0 authored by James Ritchey's avatar James Ritchey

add Users with restricted repo access can access and create discussions on commits

parent fa77a9ee
Pipeline #53013253 passed with stages
in 17 minutes and 22 seconds
...@@ -142,6 +142,20 @@ Affects GitLab CE/EE 8.7 and later. ...@@ -142,6 +142,20 @@ Affects GitLab CE/EE 8.7 and later.
We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible. We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible.
## Users with restricted repo access can access and create discussions on commits
A permissions issue was discovered for access to discussions/notes on commits. The issue is now mitigated in the latest release and is assigned [CVE-2019-9890](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9890).
Thanks to [@xanbanx](https://hackerone.com/xanbanx) for responsibly reporting this vulnerability to us.
### Versions Affected
Affects GitLab CE/EE 10.8.0 and later.
### Remediation
We **strongly recommend** that all installations running an affected version above to be upgraded to the latest version as soon as possible.
## Milestone name disclosure ## Milestone name disclosure
When a project is public and issues are set to `Only Project Members`, milestone names are able to be disclosed via the milestone autocomplete and board endpoints. These issues are now mitigated in the latest release and are assigned [CVE-2019-9171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9171) and [CVE-2019-9224](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9224). When a project is public and issues are set to `Only Project Members`, milestone names are able to be disclosed via the milestone autocomplete and board endpoints. These issues are now mitigated in the latest release and are assigned [CVE-2019-9171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9171) and [CVE-2019-9224](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9224).
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment