All the vulnerabilites related to GitLab - GitLab CE/EE
cve-2020-26407
Vulnerability from cvelistv5
Published
2020-12-10 05:16
Modified
2024-08-04 15:56
Severity ?
EPSS score ?
Summary
A XSS vulnerability exists in Gitlab CE/EE from 12.4 before 13.4.7, 13.5 before 13.5.5, and 13.6 before 13.6.2 that allows an attacker to perform cross-site scripting to other users via importing a malicious project
References
▼ | URL | Tags |
---|---|---|
https://gitlab.com/gitlab-org/gitlab/-/issues/212630 | x_refsource_MISC | |
https://hackerone.com/reports/832117 | x_refsource_MISC | |
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26407.json | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | Gitlab CE/EE |
Version: >=12.4 Version: <13.4.7 Version: >=13.5 Version: <13.5.5 Version: >=13.6 Version: <13.6.2 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T15:56:04.267Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/212630" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/832117" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26407.json" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Gitlab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "\u003e=12.4" }, { "status": "affected", "version": "\u003c13.4.7" }, { "status": "affected", "version": "\u003e=13.5" }, { "status": "affected", "version": "\u003c13.5.5" }, { "status": "affected", "version": "\u003e=13.6" }, { "status": "affected", "version": "\u003c13.6.2" } ] } ], "credits": [ { "lang": "en", "value": "Thanks (@vakzz)[https://hackerone.com/vakzz] for reporting this vulnerability through our HackerOne bug bounty program" } ], "descriptions": [ { "lang": "en", "value": "A XSS vulnerability exists in Gitlab CE/EE from 12.4 before 13.4.7, 13.5 before 13.5.5, and 13.6 before 13.6.2 that allows an attacker to perform cross-site scripting to other users via importing a malicious project" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in GitLab", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-12-10T05:16:24", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/212630" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/832117" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26407.json" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-26407", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Gitlab CE/EE", "version": { "version_data": [ { "version_value": "\u003e=12.4" }, { "version_value": "\u003c13.4.7" }, { "version_value": "\u003e=13.5" }, { "version_value": "\u003c13.5.5" }, { "version_value": "\u003e=13.6" }, { "version_value": "\u003c13.6.2" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "credit": [ { "lang": "eng", "value": "Thanks (@vakzz)[https://hackerone.com/vakzz] for reporting this vulnerability through our HackerOne bug bounty program" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A XSS vulnerability exists in Gitlab CE/EE from 12.4 before 13.4.7, 13.5 before 13.5.5, and 13.6 before 13.6.2 that allows an attacker to perform cross-site scripting to other users via importing a malicious project" } ] }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in GitLab" } ] } ] }, "references": { "reference_data": [ { "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/212630", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/212630" }, { "name": "https://hackerone.com/reports/832117", "refsource": "MISC", "url": "https://hackerone.com/reports/832117" }, { "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26407.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26407.json" } ] } } } }, "cveMetadata": { "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-26407", "datePublished": "2020-12-10T05:16:24", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2024-08-04T15:56:04.267Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-15578
Vulnerability from cvelistv5
Published
2020-01-28 02:46
Modified
2024-08-05 00:49
Severity ?
EPSS score ?
Summary
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). The path of a private project, that used to be public, would be disclosed in the unsubscribe email link of issues and merge requests.
References
▼ | URL | Tags |
---|---|---|
https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ | x_refsource_MISC | |
https://hackerone.com/reports/650574 | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | GitLab CE/EE |
Version: before 12.3.2 Version: before 12.2.6 Version: before 12.1.12 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T00:49:13.672Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/650574" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "GitLab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "before 12.3.2" }, { "status": "affected", "version": "before 12.2.6" }, { "status": "affected", "version": "before 12.1.12" } ] } ], "descriptions": [ { "lang": "en", "value": "An information disclosure exists in \u003c 12.3.2, \u003c 12.2.6, and \u003c 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). The path of a private project, that used to be public, would be disclosed in the unsubscribe email link of issues and merge requests." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "Information Disclosure (CWE-200)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2020-01-28T02:46:55", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/650574" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "support@hackerone.com", "ID": "CVE-2019-15578", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GitLab CE/EE", "version": { "version_data": [ { "version_value": "before 12.3.2" }, { "version_value": "before 12.2.6" }, { "version_value": "before 12.1.12" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An information disclosure exists in \u003c 12.3.2, \u003c 12.2.6, and \u003c 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). The path of a private project, that used to be public, would be disclosed in the unsubscribe email link of issues and merge requests." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Information Disclosure (CWE-200)" } ] } ] }, "references": { "reference_data": [ { "name": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/", "refsource": "MISC", "url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/" }, { "name": "https://hackerone.com/reports/650574", "refsource": "MISC", "url": "https://hackerone.com/reports/650574" } ] } } } }, "cveMetadata": { "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2019-15578", "datePublished": "2020-01-28T02:46:55", "dateReserved": "2019-08-26T00:00:00", "dateUpdated": "2024-08-05T00:49:13.672Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-13355
Vulnerability from cvelistv5
Published
2020-11-18 23:30
Modified
2024-08-04 12:18
Severity ?
EPSS score ?
Summary
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. Affected versions are: >=8.14, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
References
▼ | URL | Tags |
---|---|---|
https://gitlab.com/gitlab-org/gitlab/-/issues/255886 | x_refsource_MISC | |
https://hackerone.com/reports/990800 | x_refsource_MISC | |
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13355.json | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | GitLab CE/EE |
Version: >=8.14 Version: <13.3.9 Version: >=13.4 Version: <13.4.5 Version: >=13.5 Version: <13.5.2 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T12:18:17.457Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/255886" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/990800" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13355.json" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "GitLab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "\u003e=8.14" }, { "status": "affected", "version": "\u003c13.3.9" }, { "status": "affected", "version": "\u003e=13.4" }, { "status": "affected", "version": "\u003c13.4.5" }, { "status": "affected", "version": "\u003e=13.5" }, { "status": "affected", "version": "\u003c13.5.2" } ] } ], "credits": [ { "lang": "en", "value": "Thanks [saltyyolk](https://hackerone.com/saltyyolk) for reporting this vulnerability through our HackerOne bug bounty program" } ], "descriptions": [ { "lang": "en", "value": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. Affected versions are: \u003e=8.14, \u003c13.3.9,\u003e=13.4, \u003c13.4.5,\u003e=13.5, \u003c13.5.2." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "Improper limitation of a pathname to a restricted directory (\u0027path traversal\u0027) in GitLab", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-11-18T23:30:25", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/255886" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/990800" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13355.json" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-13355", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GitLab CE/EE", "version": { "version_data": [ { "version_value": "\u003e=8.14" }, { "version_value": "\u003c13.3.9" }, { "version_value": "\u003e=13.4" }, { "version_value": "\u003c13.4.5" }, { "version_value": "\u003e=13.5" }, { "version_value": "\u003c13.5.2" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "credit": [ { "lang": "eng", "value": "Thanks [saltyyolk](https://hackerone.com/saltyyolk) for reporting this vulnerability through our HackerOne bug bounty program" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. Affected versions are: \u003e=8.14, \u003c13.3.9,\u003e=13.4, \u003c13.4.5,\u003e=13.5, \u003c13.5.2." } ] }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Improper limitation of a pathname to a restricted directory (\u0027path traversal\u0027) in GitLab" } ] } ] }, "references": { "reference_data": [ { "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/255886", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/255886" }, { "name": "https://hackerone.com/reports/990800", "refsource": "MISC", "url": "https://hackerone.com/reports/990800" }, { "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13355.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13355.json" } ] } } } }, "cveMetadata": { "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-13355", "datePublished": "2020-11-18T23:30:25", "dateReserved": "2020-05-21T00:00:00", "dateUpdated": "2024-08-04T12:18:17.457Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-26413
Vulnerability from cvelistv5
Published
2020-12-11 03:47
Modified
2024-08-04 15:56
Severity ?
EPSS score ?
Summary
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible.
References
▼ | URL | Tags |
---|---|---|
https://gitlab.com/gitlab-org/gitlab/-/issues/244275 | x_refsource_MISC | |
https://hackerone.com/reports/972355 | x_refsource_MISC | |
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26413.json | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | GitLab CE/EE |
Version: >=13.4, <13.4.7 Version: >=13.5, <13.5.5 Version: >=13.6, <13.6.2 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T15:56:04.703Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/244275" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/972355" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26413.json" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "GitLab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "\u003e=13.4, \u003c13.4.7" }, { "status": "affected", "version": "\u003e=13.5, \u003c13.5.5" }, { "status": "affected", "version": "\u003e=13.6, \u003c13.6.2" } ] } ], "credits": [ { "lang": "en", "value": "Thanks [vaib25vicky](https://hackerone.com/vaib25vicky) for reporting this vulnerability through our HackerOne bug bounty program" } ], "descriptions": [ { "lang": "en", "value": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "Information exposure in GitLab CE/EE", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-12-11T03:47:34", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/244275" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/972355" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26413.json" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-26413", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GitLab CE/EE", "version": { "version_data": [ { "version_value": "\u003e=13.4, \u003c13.4.7" }, { "version_value": "\u003e=13.5, \u003c13.5.5" }, { "version_value": "\u003e=13.6, \u003c13.6.2" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "credit": [ { "lang": "eng", "value": "Thanks [vaib25vicky](https://hackerone.com/vaib25vicky) for reporting this vulnerability through our HackerOne bug bounty program" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Information exposure in GitLab CE/EE" } ] } ] }, "references": { "reference_data": [ { "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/244275", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/244275" }, { "name": "https://hackerone.com/reports/972355", "refsource": "MISC", "url": "https://hackerone.com/reports/972355" }, { "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26413.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26413.json" } ] } } } }, "cveMetadata": { "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-26413", "datePublished": "2020-12-11T03:47:34", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2024-08-04T15:56:04.703Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-15585
Vulnerability from cvelistv5
Published
2020-01-28 02:21
Modified
2024-08-05 00:49
Severity ?
EPSS score ?
Summary
Improper authentication exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) in the GitLab SAML integration had a validation issue that permitted an attacker to takeover another user's account.
References
▼ | URL | Tags |
---|---|---|
https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ | x_refsource_MISC | |
https://hackerone.com/reports/471323 | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | Gitlab CE/EE |
Version: before 12.3.2 Version: before 12.2.6 Version: before 12.1.12 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T00:49:13.654Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/471323" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Gitlab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "before 12.3.2" }, { "status": "affected", "version": "before 12.2.6" }, { "status": "affected", "version": "before 12.1.12" } ] } ], "descriptions": [ { "lang": "en", "value": "Improper authentication exists in \u003c 12.3.2, \u003c 12.2.6, and \u003c 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) in the GitLab SAML integration had a validation issue that permitted an attacker to takeover another user\u0027s account." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-287", "description": "Improper Authentication - Generic (CWE-287)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2020-01-28T02:21:16", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/471323" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "support@hackerone.com", "ID": "CVE-2019-15585", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Gitlab CE/EE", "version": { "version_data": [ { "version_value": "before 12.3.2" }, { "version_value": "before 12.2.6" }, { "version_value": "before 12.1.12" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Improper authentication exists in \u003c 12.3.2, \u003c 12.2.6, and \u003c 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) in the GitLab SAML integration had a validation issue that permitted an attacker to takeover another user\u0027s account." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Improper Authentication - Generic (CWE-287)" } ] } ] }, "references": { "reference_data": [ { "name": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/", "refsource": "MISC", "url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/" }, { "name": "https://hackerone.com/reports/471323", "refsource": "MISC", "url": "https://hackerone.com/reports/471323" } ] } } } }, "cveMetadata": { "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2019-15585", "datePublished": "2020-01-28T02:21:16", "dateReserved": "2019-08-26T00:00:00", "dateUpdated": "2024-08-05T00:49:13.654Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-13358
Vulnerability from cvelistv5
Published
2020-11-17 00:20
Modified
2024-08-04 12:18
Severity ?
EPSS score ?
Summary
A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. Affected versions are: >=13.4, <13.4.5,>=13.3, <13.3.9,>=13.5, <13.5.2.
References
▼ | URL | Tags |
---|---|---|
https://gitlab.com/gitlab-org/gitlab/-/issues/241674 | x_refsource_MISC | |
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13358.json | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | Gitlab CE/EE |
Version: >=13.4 Version: <13.4.5 Version: >=13.3 Version: <13.3.9 Version: >=13.5 Version: <13.5.2 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T12:18:17.461Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/241674" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13358.json" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Gitlab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "\u003e=13.4" }, { "status": "affected", "version": "\u003c13.4.5" }, { "status": "affected", "version": "\u003e=13.3" }, { "status": "affected", "version": "\u003c13.3.9" }, { "status": "affected", "version": "\u003e=13.5" }, { "status": "affected", "version": "\u003c13.5.2" } ] } ], "credits": [ { "lang": "en", "value": "This vulnerability has been discovered internally by the GitLab team" } ], "descriptions": [ { "lang": "en", "value": "A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. Affected versions are: \u003e=13.4, \u003c13.4.5,\u003e=13.3, \u003c13.3.9,\u003e=13.5, \u003c13.5.2." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "Improper authorization in GitLab", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-11-17T00:20:25", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/241674" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13358.json" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-13358", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Gitlab CE/EE", "version": { "version_data": [ { "version_value": "\u003e=13.4" }, { "version_value": "\u003c13.4.5" }, { "version_value": "\u003e=13.3" }, { "version_value": "\u003c13.3.9" }, { "version_value": "\u003e=13.5" }, { "version_value": "\u003c13.5.2" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "credit": [ { "lang": "eng", "value": "This vulnerability has been discovered internally by the GitLab team" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. Affected versions are: \u003e=13.4, \u003c13.4.5,\u003e=13.3, \u003c13.3.9,\u003e=13.5, \u003c13.5.2." } ] }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Improper authorization in GitLab" } ] } ] }, "references": { "reference_data": [ { "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/241674", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/241674" }, { "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13358.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13358.json" } ] } } } }, "cveMetadata": { "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-13358", "datePublished": "2020-11-17T00:20:25", "dateReserved": "2020-05-21T00:00:00", "dateUpdated": "2024-08-04T12:18:17.461Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-13350
Vulnerability from cvelistv5
Published
2020-11-17 17:55
Modified
2024-08-04 12:18
Severity ?
EPSS score ?
Summary
CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who's able to target GitLab instance administrators to pause/resume runners. Affected versions are >=13.5.0, <13.5.2,>=13.4.0, <13.4.5,<13.3.9.
References
▼ | URL | Tags |
---|---|---|
https://gitlab.com/gitlab-org/gitlab/-/issues/24416 | x_refsource_MISC | |
https://hackerone.com/reports/415238 | x_refsource_MISC | |
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13350.json | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | GitLab CE/EE |
Version: >=13.5.0 Version: <13.5.2 Version: >=13.4.0 Version: <13.4.5 Version: <13.3.9 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T12:18:17.575Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/24416" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/415238" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13350.json" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "GitLab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "\u003e=13.5.0" }, { "status": "affected", "version": "\u003c13.5.2" }, { "status": "affected", "version": "\u003e=13.4.0" }, { "status": "affected", "version": "\u003c13.4.5" }, { "status": "affected", "version": "\u003c13.3.9" } ] } ], "credits": [ { "lang": "en", "value": "Thanks [@ngalog](https://hackerone.com/ngalog) for reporting this vulnerability through our HackerOne bug bounty program" } ], "descriptions": [ { "lang": "en", "value": "CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who\u0027s able to target GitLab instance administrators to pause/resume runners. Affected versions are \u003e=13.5.0, \u003c13.5.2,\u003e=13.4.0, \u003c13.4.5,\u003c13.3.9." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "Cross-site request forgery (csrf) in GitLab", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-11-17T17:55:43", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/24416" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/415238" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13350.json" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-13350", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GitLab CE/EE", "version": { "version_data": [ { "version_value": "\u003e=13.5.0" }, { "version_value": "\u003c13.5.2" }, { "version_value": "\u003e=13.4.0" }, { "version_value": "\u003c13.4.5" }, { "version_value": "\u003c13.3.9" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "credit": [ { "lang": "eng", "value": "Thanks [@ngalog](https://hackerone.com/ngalog) for reporting this vulnerability through our HackerOne bug bounty program" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who\u0027s able to target GitLab instance administrators to pause/resume runners. Affected versions are \u003e=13.5.0, \u003c13.5.2,\u003e=13.4.0, \u003c13.4.5,\u003c13.3.9." } ] }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Cross-site request forgery (csrf) in GitLab" } ] } ] }, "references": { "reference_data": [ { "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/24416", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/24416" }, { "name": "https://hackerone.com/reports/415238", "refsource": "MISC", "url": "https://hackerone.com/reports/415238" }, { "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13350.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13350.json" } ] } } } }, "cveMetadata": { "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-13350", "datePublished": "2020-11-17T17:55:43", "dateReserved": "2020-05-21T00:00:00", "dateUpdated": "2024-08-04T12:18:17.575Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-26408
Vulnerability from cvelistv5
Published
2020-12-11 04:01
Modified
2024-08-04 15:56
Severity ?
EPSS score ?
Summary
A limited information disclosure vulnerability exists in Gitlab CE/EE from >= 12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2 that allows an attacker to view limited information in user's private profile
References
▼ | URL | Tags |
---|---|---|
https://gitlab.com/gitlab-org/gitlab/-/issues/33563 | x_refsource_MISC | |
https://hackerone.com/reports/703894 | x_refsource_MISC | |
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26408.json | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | GitLab CE/EE |
Version: >= 12.2 to <13.4.7 Version: >=13.5 to <13.5.5 Version: >=13.6 to <13.6.2 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T15:56:04.394Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/33563" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/703894" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26408.json" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "GitLab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "\u003e= 12.2 to \u003c13.4.7" }, { "status": "affected", "version": "\u003e=13.5 to \u003c13.5.5" }, { "status": "affected", "version": "\u003e=13.6 to \u003c13.6.2" } ] } ], "credits": [ { "lang": "en", "value": "Thanks [@maruthi12](https://hackerone.com/maruthi12) for reporting this vulnerability through our HackerOne bug bounty program" } ], "descriptions": [ { "lang": "en", "value": "A limited information disclosure vulnerability exists in Gitlab CE/EE from \u003e= 12.2 to \u003c13.4.7, \u003e=13.5 to \u003c13.5.5, and \u003e=13.6 to \u003c13.6.2 that allows an attacker to view limited information in user\u0027s private profile" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "Information exposure in GitLab", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-12-11T04:01:26", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/33563" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/703894" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26408.json" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-26408", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GitLab CE/EE", "version": { "version_data": [ { "version_value": "\u003e= 12.2 to \u003c13.4.7" }, { "version_value": "\u003e=13.5 to \u003c13.5.5" }, { "version_value": "\u003e=13.6 to \u003c13.6.2" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "credit": [ { "lang": "eng", "value": "Thanks [@maruthi12](https://hackerone.com/maruthi12) for reporting this vulnerability through our HackerOne bug bounty program" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A limited information disclosure vulnerability exists in Gitlab CE/EE from \u003e= 12.2 to \u003c13.4.7, \u003e=13.5 to \u003c13.5.5, and \u003e=13.6 to \u003c13.6.2 that allows an attacker to view limited information in user\u0027s private profile" } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Information exposure in GitLab" } ] } ] }, "references": { "reference_data": [ { "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/33563", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/33563" }, { "name": "https://hackerone.com/reports/703894", "refsource": "MISC", "url": "https://hackerone.com/reports/703894" }, { "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26408.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26408.json" } ] } } } }, "cveMetadata": { "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-26408", "datePublished": "2020-12-11T04:01:26", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2024-08-04T15:56:04.394Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-13356
Vulnerability from cvelistv5
Published
2020-11-18 23:35
Modified
2024-08-04 12:18
Severity ?
EPSS score ?
Summary
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.8.9. A specially crafted request could bypass Multipart protection and read files in certain specific paths on the server. Affected versions are: >=8.8.9, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
References
▼ | URL | Tags |
---|---|---|
https://gitlab.com/gitlab-org/gitlab/-/issues/230878 | x_refsource_MISC | |
https://hackerone.com/reports/927953 | x_refsource_MISC | |
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13356.json | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | GitLab CE/EE |
Version: >=8.8.9 Version: <13.3.9 Version: >=13.4 Version: <13.4.5 Version: >=13.5 Version: <13.5.2 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T12:18:17.540Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/230878" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/927953" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13356.json" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "GitLab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "\u003e=8.8.9" }, { "status": "affected", "version": "\u003c13.3.9" }, { "status": "affected", "version": "\u003e=13.4" }, { "status": "affected", "version": "\u003c13.4.5" }, { "status": "affected", "version": "\u003e=13.5" }, { "status": "affected", "version": "\u003c13.5.2" } ] } ], "credits": [ { "lang": "en", "value": "Thanks [ledz1996](https://hackerone.com/ledz1996) for reporting this vulnerability through our HackerOne bug bounty program" } ], "descriptions": [ { "lang": "en", "value": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.8.9. A specially crafted request could bypass Multipart protection and read files in certain specific paths on the server. Affected versions are: \u003e=8.8.9, \u003c13.3.9,\u003e=13.4, \u003c13.4.5,\u003e=13.5, \u003c13.5.2." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "Information exposure in GitLab", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-11-18T23:35:05", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/230878" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/927953" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13356.json" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-13356", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GitLab CE/EE", "version": { "version_data": [ { "version_value": "\u003e=8.8.9" }, { "version_value": "\u003c13.3.9" }, { "version_value": "\u003e=13.4" }, { "version_value": "\u003c13.4.5" }, { "version_value": "\u003e=13.5" }, { "version_value": "\u003c13.5.2" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "credit": [ { "lang": "eng", "value": "Thanks [ledz1996](https://hackerone.com/ledz1996) for reporting this vulnerability through our HackerOne bug bounty program" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.8.9. A specially crafted request could bypass Multipart protection and read files in certain specific paths on the server. Affected versions are: \u003e=8.8.9, \u003c13.3.9,\u003e=13.4, \u003c13.4.5,\u003e=13.5, \u003c13.5.2." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Information exposure in GitLab" } ] } ] }, "references": { "reference_data": [ { "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/230878", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/230878" }, { "name": "https://hackerone.com/reports/927953", "refsource": "MISC", "url": "https://hackerone.com/reports/927953" }, { "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13356.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13356.json" } ] } } } }, "cveMetadata": { "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-13356", "datePublished": "2020-11-18T23:35:05", "dateReserved": "2020-05-21T00:00:00", "dateUpdated": "2024-08-04T12:18:17.540Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-13352
Vulnerability from cvelistv5
Published
2020-11-17 00:36
Modified
2024-08-04 12:18
Severity ?
EPSS score ?
Summary
Private group info is leaked leaked in GitLab CE/EE version 10.2 and above, when the project is moved from private to public group. Affected versions are: >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
References
▼ | URL | Tags |
---|---|---|
https://gitlab.com/gitlab-org/gitlab/-/issues/38281 | x_refsource_MISC | |
https://hackerone.com/reports/748315 | x_refsource_MISC | |
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13352.json | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | GitLab CE/EE |
Version: >=10.2 Version: <13.3.9 Version: >=13.4 Version: <13.4.5 Version: >=13.5 Version: <13.5.2 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T12:18:17.655Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/38281" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/748315" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13352.json" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "GitLab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "\u003e=10.2" }, { "status": "affected", "version": "\u003c13.3.9" }, { "status": "affected", "version": "\u003e=13.4" }, { "status": "affected", "version": "\u003c13.4.5" }, { "status": "affected", "version": "\u003e=13.5" }, { "status": "affected", "version": "\u003c13.5.2" } ] } ], "credits": [ { "lang": "en", "value": "Thanks [@ashish_r_padelkar](https://hackerone.com/ashish_r_padelkar) for reporting this vulnerability through our HackerOne bug bounty program" } ], "descriptions": [ { "lang": "en", "value": "Private group info is leaked leaked in GitLab CE/EE version 10.2 and above, when the project is moved from private to public group. Affected versions are: \u003e=10.2, \u003c13.3.9,\u003e=13.4, \u003c13.4.5,\u003e=13.5, \u003c13.5.2." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "Exposure of private information (\u0027privacy violation\u0027) in GitLab", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-11-17T00:36:27", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/38281" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/748315" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13352.json" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-13352", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GitLab CE/EE", "version": { "version_data": [ { "version_value": "\u003e=10.2" }, { "version_value": "\u003c13.3.9" }, { "version_value": "\u003e=13.4" }, { "version_value": "\u003c13.4.5" }, { "version_value": "\u003e=13.5" }, { "version_value": "\u003c13.5.2" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "credit": [ { "lang": "eng", "value": "Thanks [@ashish_r_padelkar](https://hackerone.com/ashish_r_padelkar) for reporting this vulnerability through our HackerOne bug bounty program" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Private group info is leaked leaked in GitLab CE/EE version 10.2 and above, when the project is moved from private to public group. Affected versions are: \u003e=10.2, \u003c13.3.9,\u003e=13.4, \u003c13.4.5,\u003e=13.5, \u003c13.5.2." } ] }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.6, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Exposure of private information (\u0027privacy violation\u0027) in GitLab" } ] } ] }, "references": { "reference_data": [ { "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/38281", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/38281" }, { "name": "https://hackerone.com/reports/748315", "refsource": "MISC", "url": "https://hackerone.com/reports/748315" }, { "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13352.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13352.json" } ] } } } }, "cveMetadata": { "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-13352", "datePublished": "2020-11-17T00:36:27", "dateReserved": "2020-05-21T00:00:00", "dateUpdated": "2024-08-04T12:18:17.655Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-5464
Vulnerability from cvelistv5
Published
2020-01-28 02:23
Modified
2024-08-04 19:54
Severity ?
EPSS score ?
Summary
A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the library is utilized.
References
▼ | URL | Tags |
---|---|---|
https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ | x_refsource_MISC | |
https://hackerone.com/reports/632101 | x_refsource_MISC | |
https://gitlab.com/gitlab-org/gitlab-ce/issues/63959 | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | GitLab CE/EE |
Version: Affects GitLab CE/EE 10.2 and later Version: Fixed in 12.1.2 in 12.0.4 and in 11.11.6 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T19:54:53.478Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/632101" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/63959" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "GitLab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "Affects GitLab CE/EE 10.2 and later" }, { "status": "affected", "version": "Fixed in 12.1.2 in 12.0.4 and in 11.11.6" } ] } ], "descriptions": [ { "lang": "en", "value": "A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the library is utilized." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-20", "description": "Improper Input Validation (CWE-20)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2020-01-28T02:23:14", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/632101" }, { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/63959" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "support@hackerone.com", "ID": "CVE-2019-5464", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GitLab CE/EE", "version": { "version_data": [ { "version_value": "Affects GitLab CE/EE 10.2 and later" }, { "version_value": "Fixed in 12.1.2 in 12.0.4 and in 11.11.6" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the library is utilized." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Improper Input Validation (CWE-20)" } ] } ] }, "references": { "reference_data": [ { "name": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/", "refsource": "MISC", "url": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/" }, { "name": "https://hackerone.com/reports/632101", "refsource": "MISC", "url": "https://hackerone.com/reports/632101" }, { "name": "https://gitlab.com/gitlab-org/gitlab-ce/issues/63959", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/63959" } ] } } } }, "cveMetadata": { "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2019-5464", "datePublished": "2020-01-28T02:23:14", "dateReserved": "2019-01-04T00:00:00", "dateUpdated": "2024-08-04T19:54:53.478Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-15586
Vulnerability from cvelistv5
Published
2020-01-28 02:14
Modified
2024-08-05 00:49
Severity ?
EPSS score ?
Summary
A XSS exists in Gitlab CE/EE < 12.1.10 in the Mermaid plugin.
References
▼ | URL | Tags |
---|---|---|
https://hackerone.com/reports/645043 | x_refsource_MISC | |
https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | Gitlab CE/EE |
Version: before 12.1.10 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T00:49:13.628Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/645043" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Gitlab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "before 12.1.10" } ] } ], "descriptions": [ { "lang": "en", "value": "A XSS exists in Gitlab CE/EE \u003c 12.1.10 in the Mermaid plugin." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "Cross-site Scripting (XSS) - DOM (CWE-79)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2020-01-28T02:14:59", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/645043" }, { "tags": [ "x_refsource_MISC" ], "url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "support@hackerone.com", "ID": "CVE-2019-15586", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Gitlab CE/EE", "version": { "version_data": [ { "version_value": "before 12.1.10" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A XSS exists in Gitlab CE/EE \u003c 12.1.10 in the Mermaid plugin." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Cross-site Scripting (XSS) - DOM (CWE-79)" } ] } ] }, "references": { "reference_data": [ { "name": "https://hackerone.com/reports/645043", "refsource": "MISC", "url": "https://hackerone.com/reports/645043" }, { "name": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/", "refsource": "MISC", "url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/" } ] } } } }, "cveMetadata": { "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2019-15586", "datePublished": "2020-01-28T02:14:59", "dateReserved": "2019-08-26T00:00:00", "dateUpdated": "2024-08-05T00:49:13.628Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-26417
Vulnerability from cvelistv5
Published
2020-12-11 03:37
Modified
2024-08-04 15:56
Severity ?
EPSS score ?
Summary
Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions >=13.6 to <13.6.2, >=13.5 to <13.5.5, and >=13.1 to <13.4.7.
References
▼ | URL | Tags |
---|---|---|
https://gitlab.com/gitlab-org/gitlab/-/issues/282539 | x_refsource_MISC | |
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26417.json | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | GitLab CE/EE |
Version: >=13.6 to <13.6.2 Version: >=13.5 to <13.5.5 Version: >=13.1 to <13.4.7 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T15:56:04.584Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/282539" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26417.json" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "GitLab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "\u003e=13.6 to \u003c13.6.2" }, { "status": "affected", "version": "\u003e=13.5 to \u003c13.5.5" }, { "status": "affected", "version": "\u003e=13.1 to \u003c13.4.7" } ] } ], "credits": [ { "lang": "en", "value": "This vulnerability has been discovered internally by the GitLab team" } ], "descriptions": [ { "lang": "en", "value": "Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions \u003e=13.6 to \u003c13.6.2, \u003e=13.5 to \u003c13.5.5, and \u003e=13.1 to \u003c13.4.7." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "Information exposure in GitLab", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-12-11T03:37:36", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/282539" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26417.json" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-26417", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GitLab CE/EE", "version": { "version_data": [ { "version_value": "\u003e=13.6 to \u003c13.6.2" }, { "version_value": "\u003e=13.5 to \u003c13.5.5" }, { "version_value": "\u003e=13.1 to \u003c13.4.7" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "credit": [ { "lang": "eng", "value": "This vulnerability has been discovered internally by the GitLab team" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions \u003e=13.6 to \u003c13.6.2, \u003e=13.5 to \u003c13.5.5, and \u003e=13.1 to \u003c13.4.7." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Information exposure in GitLab" } ] } ] }, "references": { "reference_data": [ { "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/282539", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/282539" }, { "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26417.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26417.json" } ] } } } }, "cveMetadata": { "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-26417", "datePublished": "2020-12-11T03:37:36", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2024-08-04T15:56:04.584Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-13359
Vulnerability from cvelistv5
Published
2020-11-18 23:57
Modified
2024-08-04 12:18
Severity ?
EPSS score ?
Summary
The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. Affected versions are >=12.10, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
References
▼ | URL | Tags |
---|---|---|
https://gitlab.com/gitlab-org/gitlab/-/issues/250266 | x_refsource_MISC | |
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13359.json | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | GitLab CE/EE |
Version: >=12.10 Version: <13.3.9 Version: >=13.4 Version: <13.4.5 Version: >=13.5 Version: <13.5.2 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T12:18:17.623Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/250266" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13359.json" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "GitLab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "\u003e=12.10" }, { "status": "affected", "version": "\u003c13.3.9" }, { "status": "affected", "version": "\u003e=13.4" }, { "status": "affected", "version": "\u003c13.4.5" }, { "status": "affected", "version": "\u003e=13.5" }, { "status": "affected", "version": "\u003c13.5.2" } ] } ], "credits": [ { "lang": "en", "value": "This vulnerability has been discovered internally by the GitLab team" } ], "descriptions": [ { "lang": "en", "value": "The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. Affected versions are \u003e=12.10, \u003c13.3.9,\u003e=13.4, \u003c13.4.5,\u003e=13.5, \u003c13.5.2." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "Information exposure in GitLab", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-11-18T23:57:34", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/250266" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13359.json" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-13359", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GitLab CE/EE", "version": { "version_data": [ { "version_value": "\u003e=12.10" }, { "version_value": "\u003c13.3.9" }, { "version_value": "\u003e=13.4" }, { "version_value": "\u003c13.4.5" }, { "version_value": "\u003e=13.5" }, { "version_value": "\u003c13.5.2" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "credit": [ { "lang": "eng", "value": "This vulnerability has been discovered internally by the GitLab team" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. Affected versions are \u003e=12.10, \u003c13.3.9,\u003e=13.4, \u003c13.4.5,\u003e=13.5, \u003c13.5.2." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Information exposure in GitLab" } ] } ] }, "references": { "reference_data": [ { "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/250266", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/250266" }, { "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13359.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13359.json" } ] } } } }, "cveMetadata": { "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-13359", "datePublished": "2020-11-18T23:57:34", "dateReserved": "2020-05-21T00:00:00", "dateUpdated": "2024-08-04T12:18:17.623Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-13357
Vulnerability from cvelistv5
Published
2020-12-11 03:55
Modified
2024-08-04 12:18
Severity ?
EPSS score ?
Summary
An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.
References
▼ | URL | Tags |
---|---|---|
https://gitlab.com/gitlab-org/gitlab/-/issues/241132 | x_refsource_MISC | |
https://hackerone.com/reports/962408 | x_refsource_MISC | |
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13357.json | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | GitLab CE/EE |
Version: >= 13.1 to <13.4.7 Version: >= 13.5 to <13.5.5 Version: >= 13.6 to <13.6.2 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T12:18:17.628Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/241132" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/962408" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13357.json" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "GitLab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "\u003e= 13.1 to \u003c13.4.7" }, { "status": "affected", "version": "\u003e= 13.5 to \u003c13.5.5" }, { "status": "affected", "version": "\u003e= 13.6 to \u003c13.6.2" } ] } ], "credits": [ { "lang": "en", "value": "Thanks [@ashish_r_padelkar](https://hackerone.com/ashish_r_padelkar) for reporting this vulnerability through our HackerOne bug bounty program" } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Gitlab CE/EE versions \u003e= 13.1 to \u003c13.4.7, \u003e= 13.5 to \u003c13.5.5, and \u003e= 13.6 to \u003c13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "Authorization bypass through user-controlled key in GitLab", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-12-11T03:55:55", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/241132" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/962408" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13357.json" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-13357", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GitLab CE/EE", "version": { "version_data": [ { "version_value": "\u003e= 13.1 to \u003c13.4.7" }, { "version_value": "\u003e= 13.5 to \u003c13.5.5" }, { "version_value": "\u003e= 13.6 to \u003c13.6.2" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "credit": [ { "lang": "eng", "value": "Thanks [@ashish_r_padelkar](https://hackerone.com/ashish_r_padelkar) for reporting this vulnerability through our HackerOne bug bounty program" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Gitlab CE/EE versions \u003e= 13.1 to \u003c13.4.7, \u003e= 13.5 to \u003c13.5.5, and \u003e= 13.6 to \u003c13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Authorization bypass through user-controlled key in GitLab" } ] } ] }, "references": { "reference_data": [ { "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/241132", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/241132" }, { "name": "https://hackerone.com/reports/962408", "refsource": "MISC", "url": "https://hackerone.com/reports/962408" }, { "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13357.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13357.json" } ] } } } }, "cveMetadata": { "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-13357", "datePublished": "2020-12-11T03:55:55", "dateReserved": "2020-05-21T00:00:00", "dateUpdated": "2024-08-04T12:18:17.628Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-15583
Vulnerability from cvelistv5
Published
2020-01-28 02:24
Modified
2024-08-05 00:49
Severity ?
EPSS score ?
Summary
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). When an issue was moved to a public project from a private one, the associated private labels and the private project namespace would be disclosed through the GitLab API.
References
▼ | URL | Tags |
---|---|---|
https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ | x_refsource_MISC | |
https://hackerone.com/reports/643854 | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | GitLab CE/EE |
Version: before 12.3.2 Version: before 12.2.6 Version: before 12.1.12 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T00:49:13.753Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/643854" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "GitLab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "before 12.3.2" }, { "status": "affected", "version": "before 12.2.6" }, { "status": "affected", "version": "before 12.1.12" } ] } ], "descriptions": [ { "lang": "en", "value": "An information disclosure exists in \u003c 12.3.2, \u003c 12.2.6, and \u003c 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). When an issue was moved to a public project from a private one, the associated private labels and the private project namespace would be disclosed through the GitLab API." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "Information Disclosure (CWE-200)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2020-01-28T02:24:38", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/643854" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "support@hackerone.com", "ID": "CVE-2019-15583", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GitLab CE/EE", "version": { "version_data": [ { "version_value": "before 12.3.2" }, { "version_value": "before 12.2.6" }, { "version_value": "before 12.1.12" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An information disclosure exists in \u003c 12.3.2, \u003c 12.2.6, and \u003c 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE). When an issue was moved to a public project from a private one, the associated private labels and the private project namespace would be disclosed through the GitLab API." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Information Disclosure (CWE-200)" } ] } ] }, "references": { "reference_data": [ { "name": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/", "refsource": "MISC", "url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/" }, { "name": "https://hackerone.com/reports/643854", "refsource": "MISC", "url": "https://hackerone.com/reports/643854" } ] } } } }, "cveMetadata": { "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2019-15583", "datePublished": "2020-01-28T02:24:38", "dateReserved": "2019-08-26T00:00:00", "dateUpdated": "2024-08-05T00:49:13.753Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-15579
Vulnerability from cvelistv5
Published
2020-01-28 02:45
Modified
2024-08-05 00:49
Severity ?
EPSS score ?
Summary
An information disclosure exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) where the assignee(s) of a confidential issue in a private project would be disclosed to a guest via milestones.
References
▼ | URL | Tags |
---|---|---|
https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ | x_refsource_MISC | |
https://hackerone.com/reports/635516 | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | GitLab CE/EE |
Version: before 12.3.2 Version: before 12.2.6 Version: before 12.1.12 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T00:49:13.633Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/635516" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "GitLab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "before 12.3.2" }, { "status": "affected", "version": "before 12.2.6" }, { "status": "affected", "version": "before 12.1.12" } ] } ], "descriptions": [ { "lang": "en", "value": "An information disclosure exists in \u003c 12.3.2, \u003c 12.2.6, and \u003c 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) where the assignee(s) of a confidential issue in a private project would be disclosed to a guest via milestones." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "Information Disclosure (CWE-200)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2020-01-28T02:45:42", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/635516" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "support@hackerone.com", "ID": "CVE-2019-15579", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GitLab CE/EE", "version": { "version_data": [ { "version_value": "before 12.3.2" }, { "version_value": "before 12.2.6" }, { "version_value": "before 12.1.12" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An information disclosure exists in \u003c 12.3.2, \u003c 12.2.6, and \u003c 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) where the assignee(s) of a confidential issue in a private project would be disclosed to a guest via milestones." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Information Disclosure (CWE-200)" } ] } ] }, "references": { "reference_data": [ { "name": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/", "refsource": "MISC", "url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/" }, { "name": "https://hackerone.com/reports/635516", "refsource": "MISC", "url": "https://hackerone.com/reports/635516" } ] } } } }, "cveMetadata": { "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2019-15579", "datePublished": "2020-01-28T02:45:42", "dateReserved": "2019-08-26T00:00:00", "dateUpdated": "2024-08-05T00:49:13.633Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-26409
Vulnerability from cvelistv5
Published
2020-12-11 01:17
Modified
2024-08-04 15:56
Severity ?
EPSS score ?
Summary
A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.
References
▼ | URL | Tags |
---|---|---|
https://gitlab.com/gitlab-org/gitlab/-/issues/259626 | x_refsource_MISC | |
https://hackerone.com/reports/990461 | x_refsource_MISC | |
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26409.json | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | GitLab CE/EE |
Version: >=10.3 Version: <13.4.7 Version: >=13.5 Version: <13.5.5 Version: >=13.6 Version: <13.6.2 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T15:56:04.626Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/259626" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/990461" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26409.json" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "GitLab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "\u003e=10.3" }, { "status": "affected", "version": "\u003c13.4.7" }, { "status": "affected", "version": "\u003e=13.5" }, { "status": "affected", "version": "\u003c13.5.5" }, { "status": "affected", "version": "\u003e=13.6" }, { "status": "affected", "version": "\u003c13.6.2" } ] } ], "credits": [ { "lang": "en", "value": "Thanks [misha98857](https://hackerone.com/misha98857) for reporting this vulnerability through our HackerOne bug bounty program" } ], "descriptions": [ { "lang": "en", "value": "A DOS vulnerability exists in Gitlab CE/EE \u003e=10.3, \u003c13.4.7,\u003e=13.5, \u003c13.5.5,\u003e=13.6, \u003c13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "Uncontrolled resource consumption in GitLab", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-12-11T01:17:28", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/259626" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/990461" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26409.json" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-26409", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GitLab CE/EE", "version": { "version_data": [ { "version_value": "\u003e=10.3" }, { "version_value": "\u003c13.4.7" }, { "version_value": "\u003e=13.5" }, { "version_value": "\u003c13.5.5" }, { "version_value": "\u003e=13.6" }, { "version_value": "\u003c13.6.2" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "credit": [ { "lang": "eng", "value": "Thanks [misha98857](https://hackerone.com/misha98857) for reporting this vulnerability through our HackerOne bug bounty program" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A DOS vulnerability exists in Gitlab CE/EE \u003e=10.3, \u003c13.4.7,\u003e=13.5, \u003c13.5.5,\u003e=13.6, \u003c13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Uncontrolled resource consumption in GitLab" } ] } ] }, "references": { "reference_data": [ { "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/259626", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/259626" }, { "name": "https://hackerone.com/reports/990461", "refsource": "MISC", "url": "https://hackerone.com/reports/990461" }, { "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26409.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26409.json" } ] } } } }, "cveMetadata": { "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-26409", "datePublished": "2020-12-11T01:17:28", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2024-08-04T15:56:04.626Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-13351
Vulnerability from cvelistv5
Published
2020-11-17 17:52
Modified
2024-08-04 12:18
Severity ?
EPSS score ?
Summary
Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are >=13.0, <13.3.9,>=13.4.0, <13.4.5,>=13.5.0, <13.5.2.
References
▼ | URL | Tags |
---|---|---|
https://gitlab.com/gitlab-org/gitlab/-/issues/239369 | x_refsource_MISC | |
https://hackerone.com/reports/962462 | x_refsource_MISC | |
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13351.json | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | GitLab CE/EE |
Version: >=13.0 Version: <13.3.9 Version: >=13.4.0 Version: <13.4.5 Version: >=13.5.0 Version: <13.5.2 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T12:18:17.580Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/239369" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/962462" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13351.json" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "GitLab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "\u003e=13.0" }, { "status": "affected", "version": "\u003c13.3.9" }, { "status": "affected", "version": "\u003e=13.4.0" }, { "status": "affected", "version": "\u003c13.4.5" }, { "status": "affected", "version": "\u003e=13.5.0" }, { "status": "affected", "version": "\u003c13.5.2" } ] } ], "credits": [ { "lang": "en", "value": "Thanks [@vaib25vicky](https://hackerone.com/vaib25vicky) for reporting this vulnerability through our HackerOne bug bounty program" } ], "descriptions": [ { "lang": "en", "value": "Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are \u003e=13.0, \u003c13.3.9,\u003e=13.4.0, \u003c13.4.5,\u003e=13.5.0, \u003c13.5.2." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "Authorization bypass through user-controlled key in GitLab", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-11-17T17:52:28", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/239369" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/962462" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13351.json" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-13351", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GitLab CE/EE", "version": { "version_data": [ { "version_value": "\u003e=13.0" }, { "version_value": "\u003c13.3.9" }, { "version_value": "\u003e=13.4.0" }, { "version_value": "\u003c13.4.5" }, { "version_value": "\u003e=13.5.0" }, { "version_value": "\u003c13.5.2" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "credit": [ { "lang": "eng", "value": "Thanks [@vaib25vicky](https://hackerone.com/vaib25vicky) for reporting this vulnerability through our HackerOne bug bounty program" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are \u003e=13.0, \u003c13.3.9,\u003e=13.4.0, \u003c13.4.5,\u003e=13.5.0, \u003c13.5.2." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Authorization bypass through user-controlled key in GitLab" } ] } ] }, "references": { "reference_data": [ { "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/239369", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/239369" }, { "name": "https://hackerone.com/reports/962462", "refsource": "MISC", "url": "https://hackerone.com/reports/962462" }, { "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13351.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13351.json" } ] } } } }, "cveMetadata": { "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-13351", "datePublished": "2020-11-17T17:52:28", "dateReserved": "2020-05-21T00:00:00", "dateUpdated": "2024-08-04T12:18:17.580Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-5465
Vulnerability from cvelistv5
Published
2020-01-28 02:28
Modified
2024-08-04 19:54
Severity ?
EPSS score ?
Summary
An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue ID.
References
▼ | URL | Tags |
---|---|---|
https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ | x_refsource_MISC | |
https://hackerone.com/reports/584534 | x_refsource_MISC | |
https://gitlab.com/gitlab-org/gitlab-ce/issues/62070 | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | GitLab CE/EE |
Version: Affects GitLab CE/EE 8.14 and later Version: Fixed in 12.1.2 in 12.0.4 and in 11.11.6 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T19:54:53.509Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/584534" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/62070" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "GitLab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "Affects GitLab CE/EE 8.14 and later" }, { "status": "affected", "version": "Fixed in 12.1.2 in 12.0.4 and in 11.11.6" } ] } ], "descriptions": [ { "lang": "en", "value": "An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue ID." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "Information Disclosure (CWE-200)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2020-01-28T02:28:00", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/584534" }, { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/62070" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "support@hackerone.com", "ID": "CVE-2019-5465", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GitLab CE/EE", "version": { "version_data": [ { "version_value": "Affects GitLab CE/EE 8.14 and later" }, { "version_value": "Fixed in 12.1.2 in 12.0.4 and in 11.11.6" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue ID." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Information Disclosure (CWE-200)" } ] } ] }, "references": { "reference_data": [ { "name": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/", "refsource": "MISC", "url": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/" }, { "name": "https://hackerone.com/reports/584534", "refsource": "MISC", "url": "https://hackerone.com/reports/584534" }, { "name": "https://gitlab.com/gitlab-org/gitlab-ce/issues/62070", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/62070" } ] } } } }, "cveMetadata": { "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2019-5465", "datePublished": "2020-01-28T02:28:00", "dateReserved": "2019-01-04T00:00:00", "dateUpdated": "2024-08-04T19:54:53.509Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-13354
Vulnerability from cvelistv5
Published
2020-11-17 00:43
Modified
2024-08-04 12:18
Severity ?
EPSS score ?
Summary
A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6. The container registry name check could cause exponential number of backtracks for certain user supplied values resulting in high CPU usage. Affected versions are: >=12.6, <13.3.9.
References
▼ | URL | Tags |
---|---|---|
https://gitlab.com/gitlab-org/gitlab/-/issues/220019 | x_refsource_MISC | |
https://hackerone.com/reports/869875 | x_refsource_MISC | |
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13354.json | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | GitLab CE/EE |
Version: >=12.6 Version: <13.3.9 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T12:18:17.583Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/220019" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/869875" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13354.json" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "GitLab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "\u003e=12.6" }, { "status": "affected", "version": "\u003c13.3.9" } ] } ], "credits": [ { "lang": "en", "value": "Thanks [@anyday](https://hackerone.com/anyday) for reporting this vulnerability through our HackerOne bug bounty program" } ], "descriptions": [ { "lang": "en", "value": "A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6. The container registry name check could cause exponential number of backtracks for certain user supplied values resulting in high CPU usage. Affected versions are: \u003e=12.6, \u003c13.3.9." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "Uncontrolled resource consumption in GitLab", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-11-17T00:43:55", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/220019" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/869875" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13354.json" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-13354", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GitLab CE/EE", "version": { "version_data": [ { "version_value": "\u003e=12.6" }, { "version_value": "\u003c13.3.9" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "credit": [ { "lang": "eng", "value": "Thanks [@anyday](https://hackerone.com/anyday) for reporting this vulnerability through our HackerOne bug bounty program" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6. The container registry name check could cause exponential number of backtracks for certain user supplied values resulting in high CPU usage. Affected versions are: \u003e=12.6, \u003c13.3.9." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Uncontrolled resource consumption in GitLab" } ] } ] }, "references": { "reference_data": [ { "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/220019", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/220019" }, { "name": "https://hackerone.com/reports/869875", "refsource": "MISC", "url": "https://hackerone.com/reports/869875" }, { "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13354.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13354.json" } ] } } } }, "cveMetadata": { "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-13354", "datePublished": "2020-11-17T00:43:55", "dateReserved": "2020-05-21T00:00:00", "dateUpdated": "2024-08-04T12:18:17.583Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-26405
Vulnerability from cvelistv5
Published
2020-11-17 18:26
Modified
2024-08-04 15:56
Severity ?
EPSS score ?
Summary
Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are >=12.8, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
References
▼ | URL | Tags |
---|---|---|
https://gitlab.com/gitlab-org/gitlab/-/issues/247371 | x_refsource_MISC | |
https://hackerone.com/reports/835427 | x_refsource_MISC | |
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26405.json | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | GitLab | GitLab CE/EE |
Version: >=12.8 Version: <13.3.9 Version: >=13.4 Version: <13.4.5 Version: >=13.5 Version: <13.5.2 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T15:56:04.586Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/247371" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://hackerone.com/reports/835427" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26405.json" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "GitLab CE/EE", "vendor": "GitLab", "versions": [ { "status": "affected", "version": "\u003e=12.8" }, { "status": "affected", "version": "\u003c13.3.9" }, { "status": "affected", "version": "\u003e=13.4" }, { "status": "affected", "version": "\u003c13.4.5" }, { "status": "affected", "version": "\u003e=13.5" }, { "status": "affected", "version": "\u003c13.5.2" } ] } ], "credits": [ { "lang": "en", "value": "Thanks [@vakzz](https://hackerone.com/vakzz) for reporting this vulnerability through our HackerOne bug bounty program" } ], "descriptions": [ { "lang": "en", "value": "Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are \u003e=12.8, \u003c13.3.9,\u003e=13.4, \u003c13.4.5,\u003e=13.5, \u003c13.5.2." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "Improper limitation of a pathname to a restricted directory (\u0027path traversal\u0027) in GitLab", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-11-17T18:26:50", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/247371" }, { "tags": [ "x_refsource_MISC" ], "url": "https://hackerone.com/reports/835427" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26405.json" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-26405", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "GitLab CE/EE", "version": { "version_data": [ { "version_value": "\u003e=12.8" }, { "version_value": "\u003c13.3.9" }, { "version_value": "\u003e=13.4" }, { "version_value": "\u003c13.4.5" }, { "version_value": "\u003e=13.5" }, { "version_value": "\u003c13.5.2" } ] } } ] }, "vendor_name": "GitLab" } ] } }, "credit": [ { "lang": "eng", "value": "Thanks [@vakzz](https://hackerone.com/vakzz) for reporting this vulnerability through our HackerOne bug bounty program" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are \u003e=12.8, \u003c13.3.9,\u003e=13.4, \u003c13.4.5,\u003e=13.5, \u003c13.5.2." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Improper limitation of a pathname to a restricted directory (\u0027path traversal\u0027) in GitLab" } ] } ] }, "references": { "reference_data": [ { "name": "https://gitlab.com/gitlab-org/gitlab/-/issues/247371", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/247371" }, { "name": "https://hackerone.com/reports/835427", "refsource": "MISC", "url": "https://hackerone.com/reports/835427" }, { "name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26405.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26405.json" } ] } } } }, "cveMetadata": { "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-26405", "datePublished": "2020-11-17T18:26:50", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2024-08-04T15:56:04.586Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }