Information Disclosure in GitLab EE Advanced Search Component
CVE-2020-26416

4MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab Ee
Vendor: CVE Published:; 11 December 2020

Summary

The Advanced Search component in GitLab EE reveals sensitive search terms in Rails logs, potentially exposing confidential user data. Affected versions include those from 8.4 to below 13.4.7, as well as specific releases from 13.5 and 13.6. This oversight could lead to unintended data exposure, making it critical for users to upgrade their installations to ensure the security of their sensitive information.

Affected Version(s)

GitLab EE >=8.4 to <13.4.7 < 8.4 to 13.4.7

GitLab EE >=13.5 to <13.5.5 < 13.5 to 13.5.5

GitLab EE >=13.6 to <13.6.2 < 13.6 to 13.6.2

References

https://gitlab.com/gitlab-org/gitlab/-/issues/244495

x_refsource_MISC

https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 11, 2020
Vulnerability Reserved
Oct 1, 2020

Credit

This vulnerability has been discovered internally by the GitLab team