CVE-2019-19628
Description
In GitLab EE 11.3 through 12.5.3, 12.4.5, and 12.3.8, insufficient parameter sanitization for the Maven package registry could lead to privilege escalation and remote code execution vulnerabilities under certain conditions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Insufficient parameter sanitization in GitLab EE's Maven package registry allows privilege escalation and RCE in versions 11.3 through 12.5.3, 12.4.5, and 12.3.8.
Vulnerability
The vulnerability resides in the Maven package registry of GitLab EE versions 11.3 through 12.5.3, 12.4.5, and 12.3.8. Insufficient sanitization of user-supplied parameters leads to a parsing flaw that can be exploited when a user with a valid account interacts with the registry endpoint.
Exploitation
An attacker must have a valid GitLab account with at least access to a project that uses the Maven package registry. By crafting a malicious Maven package upload or request with specially crafted parameters, the attacker can trigger the parsing flaw. No special network position is required beyond standard HTTPS access to the GitLab instance.
Impact
Successful exploitation can result in privilege escalation (gaining higher permissions than intended) and remote code execution, potentially allowing full compromise of the GitLab application server. The complete CIA triad (confidentiality, integrity, availability) of the affected instance is at risk.
Mitigation
GitLab addressed this issue in versions 12.5.3, 12.4.5, and 12.3.8 and recommended that all instances upgrade to these patched releases or later [1]. No workaround is available; upgrading is the only fix. The vulnerability is not listed on CISA KEV as of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- GitLab/GitLab EEdescription
- Range: >=11.3, <=12.5.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- about.gitlab.com/blog/2019/12/10/critical-security-release-gitlab-12-5-4-released/mitrex_refsource_CONFIRM
- about.gitlab.com/blog/categories/releases/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.