Unauthorized Information Exposure in GitLab Enterprise Edition
CVE-2020-26406

5.3MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab Ee
Vendor: CVE Published:; 17 November 2020

Summary

GitLab Enterprise Edition versions starting from 13.3 are susceptible to unauthorized information exposure. This vulnerability allows non-members of public projects and guest members of private projects to access sensitive SAST CiConfiguration data through GraphQL, potentially compromising the confidentiality of the project. Affected versions include specific ranges that should be monitored for appropriate patches.

Affected Version(s)

GitLab EE >=13.3, <13.3.9 < 13.3, 13.3.9

GitLab EE >=13.4, <13.4.5 < 13.4, 13.4.5

GitLab EE >=13.5, <13.5.2 < 13.5, 13.5.2

References

https://gitlab.com/gitlab-org/gitlab/-/issues/244921

x_refsource_MISC

https://hackerone.com/reports/965602

x_refsource_MISC

https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 17, 2020
Vulnerability Reserved
Oct 1, 2020

Credit

Thanks [ashish_r_padelkar](https://hackerone.com/ashish_r_padelkar) for reporting this vulnerability through our HackerOne bug bounty program

.