Overview :
An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration
Affected Product(s) :
  • Affects GitLab EE 11.5 and later. GitLab CE versions
Vulnerability Details :
CVE ID : CVE-2019-15590
Private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration. The issue is now mitigated in the latest release and is assigned CVE-2019-15590.

Solution :

We strongly recommend that all installations running an affected version above with enabled Elasticsearch integration are upgraded to the latest version as soon as possible.