Impact
GitLab includes a flaw where cross‑project reference pages lack proper authorization checks, enabling an unauthenticated user to discover whether a private project exists. The issue does not grant code execution or broader access, but it exposes sensitive project existence information that could aid attackers in targeting further exploits.
Affected Systems
The vulnerability affects GitLab Community and Enterprise Editions. All releases from 9.1 up to but excluding 18.11.7, from 19.0 up to but excluding 19.0.4, and from 19.1 up to but excluding 19.1.2 are susceptible.
Risk and Exploitability
With a CVSS score of 4.3 the severity is low‑medium. EPSS data is unavailable, and the issue is not listed in CISA KEV. The attack vector requires no authentication and relies on querying the public cross‑project reference endpoints; exploitation merely confirms the existence of a private project.
OpenCVE Enrichment