CVE-2020-13344 — Insufficiently Protected Credentials in Gitlab

CWE-522 — Insufficiently Protected Credentials CWE-200 — Sensitive Information Exposure5 documents5 sources

Severity

4.4MEDIUMNVD

EPSS

0.1%

top 77.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedOct 8

Latest updateMay 24

Description

An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Sessions keys are stored in plain-text in Redis which allows attacker with Redis access to authenticate as any user that has a session stored in Redis

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 0.8 | Impact: 3.6

Affected Packages4 packages

▶NVDgitlab/gitlab10.8.0 — 13.2.10+2

▶debiandebian/gitlab< gitlab 13.2.10-1 (sid)

▶CVEListV5gitlab/gitlab>=10.8, <13.2.10, >=13.3.0, <13.3.7, >=13.4.0, <13.4.2+2

▶gitlabgitlab/gitlab

🔴Vulnerability Details

GHSA

GHSA-gc5m-gc6j-fr9q: An issue has been discovered in GitLab affecting all versions prior to 13↗2022-05-24

▶

OSV

CVE-2020-13344: An issue has been discovered in GitLab affecting all versions prior to 13↗2020-10-08

▶

📋Vendor Advisories

GitLab

CVE-2020-13344: An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Sessions keys are stored in plain-text in Redis whi↗2020-10-08

▶

Debian

CVE-2020-13344: gitlab - An issue has been discovered in GitLab affecting all versions prior to 13.2.10, ...↗2020

▶