Confidential Information Exposure in GitLab by Removed Group Members
CVE-2020-26412

3.1LOW

Key Information:

Vendor: Gitlab
Status: Gitlab Ee
Vendor: CVE Published:; 11 December 2020

Summary

This vulnerability allows removed group members to access the To-Do functionality, enabling them to retrieve updated information on confidential epics. This exposure of sensitive data can lead to unauthorized access and compromises the integrity of the project's confidentiality. The issue affects multiple versions of GitLab EE, particularly those before 13.6.2.

Affected Version(s)

GitLab EE >=13.2, <13.4.7 < 13.2, 13.4.7

GitLab EE >=13.5, <13.5.5 < 13.5, 13.5.5

GitLab EE >=13.6, <13.6.2 < 13.6, 13.6.2

References

https://gitlab.com/gitlab-org/gitlab/-/issues/228670

x_refsource_MISC

https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 11, 2020
Vulnerability Reserved
Oct 1, 2020

Credit

This vulnerability has been discovered internally by the GitLab team