CVE-2019-12430: 
GitLab vulnerability analysis and mitigation

A remote command execution vulnerability was discovered in GitLab Community and Enterprise Edition 11.11, identified as CVE-2019-12430. The vulnerability was discovered by @nyangawa of Chaitin Tech and disclosed on June 3, 2019. The vulnerability affected both GitLab Community Edition (CE) and Enterprise Edition (EE) version 11.11.0 (GitLab Release, NVD).

The vulnerability allows an authenticated malicious user to execute commands remotely through the repository download feature using a specially crafted payload. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. It is classified as a Command Injection vulnerability (CWE-77) (NVD).

The vulnerability allows attackers with authenticated access to execute arbitrary commands remotely on the affected GitLab instance, potentially leading to complete system compromise with high impacts on confidentiality, integrity, and availability of the system (NVD).

GitLab addressed this vulnerability in versions 11.11.1, 11.10.5, and 11.9.12 released on June 3, 2019. Users are strongly recommended to upgrade to these or later versions immediately to mitigate the vulnerability (GitLab Release).