CVE-2019-12432: 
GitLab vulnerability analysis and mitigation

An information disclosure vulnerability was discovered in GitLab Community and Enterprise Edition versions 8.13 through 11.11. The vulnerability, identified as CVE-2019-12432, allowed non-member users who subscribed to issue notifications to access the titles of confidential issues through the unsubscription page (GitLab Release, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. This indicates that the vulnerability requires network access and low privileges to exploit, with no user interaction needed. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability allowed unauthorized access to confidential issue titles, potentially exposing sensitive information to non-member users who had previously subscribed to issue notifications. The impact was limited to information disclosure of issue titles only, with no ability to modify or delete data (GitLab Release).

The vulnerability was patched in GitLab versions 11.11.1, 11.10.5, and 11.9.12. GitLab strongly recommended that all installations running affected versions be upgraded to the latest version immediately. The fix was implemented to prevent unauthorized access to confidential issue titles through the unsubscription page (GitLab Release).