CVE-2020-13346
published 2020-10-07CVE-2020-13346: Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential…
PriorityP335medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
1.32%
67.3th percentile
Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 13.2.10-1 (sid) | gitlab 13.2.10-1 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 11.2.0 < 13.2.10 | 13.2.10 |
| gitlab | gitlab | >= 13.3.0 < 13.3.7 | 13.3.7 |
| gitlab | gitlab | >= 13.4.0 < 13.4.2 | 13.4.2 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GitLab
CVE-2020-13346: Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access conf
vendor_gitlab·2020-10-07·CVSS 6.5
CVE-2020-13346 [MEDIUM] CWE-459 CVE-2020-13346: Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access conf
CVE-2020-13346: Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API.
Debian
CVE-2020-13346: gitlab - Membership changes are not reflected in ToDo subscriptions in GitLab versions pr...
vendor_debian·2020·CVSS 6.5
CVE-2020-13346 [MEDIUM] CVE-2020-13346: gitlab - Membership changes are not reflected in ToDo subscriptions in GitLab versions pr...
Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API.
Scope: local
sid: resolved (fixed in 13.2.10-1)
GHSA
GHSA-8wmm-qgmm-95gm: Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13
ghsa_unreviewed·2022-05-24
CVE-2020-13346 [MEDIUM] CWE-200 GHSA-8wmm-qgmm-95gm: Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13
Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API.
OSV
CVE-2020-13346: Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13
osv·2020-10-07·CVSS 6.5
CVE-2020-13346 [MEDIUM] CVE-2020-13346: Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13
Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13346.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/219496https://hackerone.com/reports/880863https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13346.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/219496https://hackerone.com/reports/880863
2020-10-07
Published