CVE-2018-19578
Description
GitLab EE, version 11.5 before 11.5.1, is vulnerable to an insecure object reference issue that permits a user with Reporter privileges to view the Jaeger Tracing Operations page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab EE 11.5 before 11.5.1 allows users with Reporter privileges to view the Jaeger Tracing Operations page due to an insecure object reference.
Vulnerability
In GitLab EE version 11.5 before 11.5.1, an insecure direct object reference (IDOR) vulnerability exists in the Operations settings page, specifically the Jaeger Tracing section. A user with Reporter role can access the URL /settings/operations directly, bypassing UI restrictions and viewing the Jaeger tracing configuration. This affects all projects where the user has Reporter privileges. [1]
Exploitation
To exploit, an attacker must have a Reporter account on a GitLab group or project. They navigate to the vulnerable URL (e.g., https://gitlab.com/[username]/[project]/settings/operations) and receive the page content, exposing the Jaeger tracing URL. No additional permissions or user interaction are required. [1]
Impact
A Reporter user can view the Jaeger tracing operations page, which contains sensitive configuration details. This constitutes a privilege escalation, as such information should only be accessible to Maintainer or Owner roles. The exposure may leak tracing endpoints and potentially allow further reconnaissance. [1]
Mitigation
Upgrade to GitLab EE version 11.5.1 or later, where the fix was applied. Users unable to upgrade should restrict access to the Operations settings page via network controls or custom permissions until patched. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- GitLab/GitLab EEdescription
- Range: <11.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check on the Operations settings page allows users with Reporter privileges to access Jaeger tracing configuration intended only for Maintainers and Owners."
Attack vector
An attacker with only Reporter privileges on a target project or group can access the Jaeger Tracing Operations page by navigating directly to the URL `https://gitlab.com/[username]/[Project_namespace]/settings/operations` [ref_id=1]. The application fails to enforce proper authorization checks for this endpoint, allowing lower-privileged users to view the Jaeger tracing URL that should only be visible to Maintainers and Owners [ref_id=1]. The attacker does not need any special configuration or network position beyond being a member of the target group with Reporter role [ref_id=1].
Affected code
The vulnerability exists in the Operations settings page at `/settings/operations`, which exposes the Jaeger tracing configuration. The issue was introduced in GitLab EE version 11.5 and is fixed in 11.5.1 [ref_id=1].
What the fix does
The advisory references a security issue fix at `https://dev.gitlab.org/gitlab/gitlab-ee/issues/358`, but the specific patch diff is not included in the bundle [ref_id=1]. The fix in GitLab EE 11.5.1 adds proper authorization checks to the Operations settings page so that only users with Maintainer or Owner roles can access the Jaeger tracing configuration [ref_id=1].
Preconditions
- authAttacker must be a member of the target group or project with at least Reporter role
- configTarget project must be running GitLab EE version 11.5 before 11.5.1
- inputAttacker must know or guess the project namespace URL
Reproduction
1. Create a victim account and add a new group. 2. Add an attacker user into this group as a Reporter role. 3. Log in from the attacker account and go to the victim group. 4. Observe that the attacker does not have access to Settings and Operations → Tracing sections via the UI. 5. Access the URL `https://gitlab.com/[username]/[Project_namespace]/settings/operations` directly. 6. Observe that the Reporter user is able to access the Jaeger tracing information [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/mitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab-ce/issues/54228mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.