CVE-2018-19572 (NVD)

2019-07-10

GitLab CE 8.17 and later and EE 8.3 and later have a symlink time-of-check-to-time-of-use race condition that would allow unauthorized access to files in the GitLab Pages chroot environment. This is fixed in versions 11.5.1, 11.4.8, and 11.3.11.

Products Gitlab
Type Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)
First patch - None (likely due to unavailable code)
Links https://gitlab.com/gitlab-org/gitlab-pages/issues/98
https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/