{"id":"CVE-2019-19312","details":"GitLab EE 8.14 through 12.5, 12.4.3, and 12.3.6 has Incorrect Access Control. After a project changed to private, previously forked repositories were still able to get information about the private project through the API.","modified":"2026-04-09T06:38:47.726672Z","published":"2020-01-05T22:15:10.707Z","references":[{"type":"ADVISORY","url":"https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/"},{"type":"ADVISORY","url":"https://about.gitlab.com/blog/categories/releases/"},{"type":"REPORT","url":"https://gitlab.com/gitlab-org/gitlab/issues/28802"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.com/gitlab-org/gitlab","events":[{"introduced":"4ae57e0b374bbb8e461305d8a7a68b550bdd768d"},{"fixed":"5b6250ce868e5e25ff15d67f9002c357ae4f5b17"},{"introduced":"572e09f5e8fcd54b0366836668e6685da68de22f"},{"fixed":"4025dea89989ebe3bb6dcc8d5d9ddf9015cd868f"},{"introduced":"4878f9ac8941c5ad124c9f2216897109c5dde4af"},{"fixed":"c1b3929bc67011d623bb8c521afe4cf3c6fed4bb"}],"database_specific":{"versions":[{"introduced":"8.14.0"},{"fixed":"12.3.8"},{"introduced":"12.4.0"},{"fixed":"12.4.5"},{"introduced":"12.5.0"},{"fixed":"12.5.2"}]}}],"versions":["v12.4.0-ee","v12.4.2-ee","v12.4.3-ee","v12.5.0-ee"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-19312.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"}]}