CVE-2019-13004: 
GitLab vulnerability analysis and mitigation

An issue was discovered in GitLab Community and Enterprise Edition versions 11.10 through 12.0.2 where when specific encoded characters were added to comments, the comments section would become inaccessible. This vulnerability was assigned CVE-2019-13004 and was disclosed in July 2019 (GitLab Release, NVD).

The vulnerability has been classified with a CVSS v3.1 Base Score of 5.3 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) and a CVSS v2.0 Base Score of 5.0 MEDIUM. The issue relates to incorrect access control when handling encoded characters in comments, which could lead to the comments section becoming completely inaccessible (NVD).

When exploited, this vulnerability would cause the comments section to become inaccessible, effectively creating a denial of service condition for the comments functionality. This impacts the availability of the commenting feature in affected GitLab installations (GitLab Release).

The vulnerability was fixed in GitLab version 12.0.3. GitLab strongly recommended that all installations running affected versions be upgraded to the latest version as soon as possible. The fix was also backported to versions 11.11.5 and 11.10.8 (GitLab Release).

The vulnerability was responsibly reported by security researcher @newbiemole, who was acknowledged in GitLab's security release announcement (GitLab Release).