CVE-2020-13286 — Server-Side Request Forgery in Gitlab

CWE-918 — Server-Side Request Forgery4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 66.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedAug 13

Latest updateMay 24

Description

For GitLab before 13.0.12, 13.1.6, 13.2.3 user controlled git configuration settings can be modified to result in Server Side Request Forgery.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDgitlab/gitlab12.7.0 — 13.0.12+2

▶CVEListV5gitlab/gitlab>=12.7.0, <13.0.12, >=13.1, <13.1.6, >=13.2, <13.2.3+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

🔴Vulnerability Details

GHSA

GHSA-59q4-w53p-6vq9: For GitLab before 13↗2022-05-24

▶

📋Vendor Advisories

GitLab

CVE-2020-13286: For GitLab before 13.0.12, 13.1.6, 13.2.3 user controlled git configuration settings can be modified to result in Server Side Request Forgery.↗2020-08-13

▶

Debian

CVE-2020-13286: gitlab - For GitLab before 13.0.12, 13.1.6, 13.2.3 user controlled git configuration sett...↗2020

▶