CVE-2020-13282 — Improper Preservation of Permissions in Gitlab

CWE-281 — Improper Preservation of Permissions5 documents5 sources

Severity

3.5LOWNVD

EPSS

0.1%

top 64.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedAug 13

Latest updateMay 24

Description

For GitLab before 13.0.12, 13.1.6, 13.2.3 after a group transfer occurs, members from a parent group keep their access level on the subgroup leading to improper access.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:NExploitability: 0.9 | Impact: 2.5

Affected Packages4 packages

▶NVDgitlab/gitlab10.5.0 — 13.0.12+2

▶debiandebian/gitlab< gitlab 13.2.3-2 (sid)

▶CVEListV5gitlab/gitlab>=10.5, <13.0.12, >=13.1, <13.1.6, >=13.2, <13.2.3+2

▶gitlabgitlab/gitlab

🔴Vulnerability Details

GHSA

GHSA-5mcq-mg28-vj82: For GitLab before 13↗2022-05-24

▶

OSV

CVE-2020-13282: For GitLab before 13↗2020-08-13

▶

📋Vendor Advisories

GitLab

CVE-2020-13282: For GitLab before 13.0.12, 13.1.6, 13.2.3 after a group transfer occurs, members from a parent group keep their access level on the subgroup leading t↗2020-08-13

▶

Debian

CVE-2020-13282: gitlab - For GitLab before 13.0.12, 13.1.6, 13.2.3 after a group transfer occurs, members...↗2020

▶