CVE-2020-13272Insufficient Verification of Data Authenticity in Gitlab

CWE-345Insufficient Verification of Data AuthenticityCWE-863Incorrect Authorization3 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.1%
top 68.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GitlabDebian Gitlab
Timeline
PublishedJun 19
Latest updateMay 24

Description

OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

NVDgitlab/gitlab12.3.012.9.8+2
CVEListV5gitlab/gitlab>=12.10, <12.10.7, >=12.3, <12.9.8, >=13.0, <13.0.1+2
debiandebian/gitlab

🔴Vulnerability Details

1
GHSA
GHSA-jmw9-579m-cw2x: OAuth flow missing verification checks CE/EE 122022-05-24

📋Vendor Advisories

1
Debian
CVE-2020-13272: gitlab - OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allow...2020