CVE-2020-13346 — Incomplete Cleanup in Gitlab

CWE-459 — Incomplete Cleanup CWE-200 — Sensitive Information Exposure5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 52.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedOct 7

Latest updateMay 24

Description

Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶NVDgitlab/gitlab11.2.0 — 13.2.10+2

▶debiandebian/gitlab< gitlab 13.2.10-1 (sid)

▶CVEListV5gitlab/gitlab>=11.2, <13.2.10, >=13.3.0, <13.3.7, >=13.4.0, <13.4.2+2

▶gitlabgitlab/gitlab

🔴Vulnerability Details

GHSA

GHSA-8wmm-qgmm-95gm: Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13↗2022-05-24

▶

OSV

CVE-2020-13346: Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13↗2020-10-07

▶

📋Vendor Advisories

GitLab

CVE-2020-13346: Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access conf↗2020-10-07

▶

Debian

CVE-2020-13346: gitlab - Membership changes are not reflected in ToDo subscriptions in GitLab versions pr...↗2020

▶