CVE-2019-19312

Vulnerability

In GitLab EE versions 8.14 through 12.5, 12.4.3, and 12.3.6, an incorrect access control vulnerability exists in the Projects API related to forked repositories. When a project is changed from public to private, the fork relationship with previously created forks is not removed. As a result, a user who forked the original project before it was made private can still query their own fork’s API endpoint (/api/v4/projects/<fork_id>) and retrieve the forked_from_project field, which contains information about the now-private parent project. [1]

Exploitation

An attacker needs only a GitLab account and must have forked the target project while it was still public. After the project owner sets the project to private, the attacker can make an authenticated API request to their fork’s project ID, e.g., GET /api/v4/projects/<fork_id>. The response includes the forked_from_project object, exposing details (such as the project name, description, namespace, and other metadata) of the private parent project. No special privileges beyond normal API access are required. [1]

Impact

Successful exploitation allows any user who previously forked a project to persistently monitor the private project’s metadata through the API, even after access to the project’s web interface has been revoked. This constitutes an information disclosure vulnerability, leaking details that the project owner intended to keep confidential. No code execution, file modification, or privilege escalation is possible. [1]

Mitigation

The vulnerability is fixed in GitLab versions 12.5.1, 12.4.4, and 12.3.7, released on 2020-01-02 [2]. Users should upgrade to one of these patched versions or later. There is no known workaround; restricting API access via network policies may reduce exposure but does not address the root cause. The issue is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog as of this writing. [2]