CVE-2019-19629

Vulnerability

In GitLab EE versions 10.5 through 12.5.3, 12.4.5, and 12.3.8, a vulnerability exists in the Elasticsearch integration. When a public project is transferred to a private group, the Group Search API continues to return the previously indexed public data, thereby disclosing private code. The affected versions include all GitLab EE releases from 10.5 up to and including 12.5.3, as well as the specific patch releases 12.4.5 and 12.3.8 [1].

Exploitation

To exploit this vulnerability, an attacker must have access to the Group Search API, which may require authentication depending on instance configuration. The attacker can query the API for content from the transferred project before it is re-indexed after the transfer. The sequence involves a project owner transferring a public project to a private group, and then an attacker using the Group Search API to retrieve the project's data that was originally public.

Impact

Successful exploitation results in information disclosure of private code that was previously public. The attacker gains access to sensitive data that should only be accessible to members of the private group, compromising confidentiality.

Mitigation

GitHub has released patches in subsequent versions to address this issue. Users should upgrade to GitLab EE 12.5.4, 12.4.6, 12.3.9, or later. No workarounds are available; upgrading is recommended [1].