CVE-2020-10955 — Missing Authorization in Gitlab

CWE-862 — Missing Authorization CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 60.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Debian Linux +1 more

Timeline

PublishedMar 27

Latest updateMay 24

Description

GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶NVDgitlab/gitlab11.1.0 — 12.9.1

▶debiandebian/gitlab< gitlab 13.2.3-2 (sid)

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ee

Also affects: Debian Linux 10.0

🔴Vulnerability Details

GHSA

GHSA-4hq6-hm84-9r6r: GitLab EE/CE 11↗2022-05-24

▶

📋Vendor Advisories

GitLab

CVE-2020-10955: GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available un↗2020-03-27

▶

Debian

CVE-2020-10955: gitlab - GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload...↗2020

▶