CVE-2019-19849: Deserialization of Untrusted Data
(updated )
It has been discovered that the classes QueryGenerator
and QueryView
are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel
(Backend Module DB Check
) installed, with a valid backend user who has administrator privileges. The other exploitable scenario requires having the system extension ext:sys_action
installed, with a valid backend user who has limited privileges.
References
Detect and mitigate CVE-2019-19849 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →