CVE-2020-13276 — Missing Authorization in Gitlab

CWE-862 — Missing Authorization CWE-863 — Incorrect Authorization5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 71.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedJun 19

Latest updateMay 24

Description

User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶NVDgitlab/gitlab12.10.0 — 12.10.7+2

▶debiandebian/gitlab< gitlab 13.2.3-2 (sid)

▶CVEListV5gitlab/gitlab<12.9.8, >=12.10, <12.10.7, >=13.0, <13.0.1+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-hg4v-vm5j-rq45: User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13↗2022-05-24

▶

OSV

CVE-2020-13276: User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13↗2020-06-19

▶

📋Vendor Advisories

GitLab

CVE-2020-13276: User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1↗2020-06-19

▶

Debian

CVE-2020-13276: gitlab - User is allowed to set an email as a notification email even without verifying t...↗2020

▶