CVE-2019-19314

Vulnerability

GitLab Enterprise Edition (EE) versions 8.4 through 12.5, as well as versions 12.4.3 and 12.3.6, stored sensitive tokens in plaintext in the application_settings database table. This affected AWS keys for Elasticsearch, Slack App Secret, Akismet API key, and reCAPTCHA site and private keys [1]. Any user with administrator privileges or database access could read these values directly from the database or via the GitLab UI under the Admin Area settings [1].

Exploitation

An attacker who gains access to the GitLab application server or database — for example, through a separate vulnerability, compromised credentials, or insider threat — can query the application_settings table using a SQL console or inspect the UI settings page to retrieve the plaintext tokens. No additional authentication beyond administrator-level access (or direct database access) is required [1]. The attacker simply executes a SELECT query on the relevant columns to extract the unencrypted values [1].

Impact

Successful exploitation allows the attacker to read sensitive cloud service credentials, including AWS access and secret keys for Elasticsearch, Slack App Secret, and reCAPTCHA keys. This could lead to unauthorized access to linked third-party services, data exfiltration, or resource abuse. The attack compromises confidentiality of stored secrets, and depending on the privileges of the leaked tokens, could enable further lateral movement or privilege escalation [1].

Mitigation

GitLab addressed this issue in GitLab EE 12.5.1, 12.4.4, and 12.3.7 by encrypting the affected tokens at rest in the database [2]. Users are advised to upgrade to one of these patched versions immediately. After upgrading, users should rotate any exposed tokens (AWS keys, Slack App Secret, Akismet key, reCAPTCHA keys) to prevent misuse of previously leaked credentials [1][2].