CVE-2020-26406

5 documents5 sources

Severity

5.3MEDIUM

EPSS

0.3%

top 49.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Gitlab Gitlab Gitlab EE

Timeline

PublishedNov 17

Latest updateMay 24

Description

Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: >=13.3, =13.4, =13.5, <13.5.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDgitlab/gitlab13.3.0 — 13.3.9+2

▶CVEListV5gitlab/gitlab_ee>=13.3, <13.3.9, >=13.4, <13.4.5, >=13.5, <13.5.2+2

🔴Vulnerability Details

GHSA

GHSA-wx3j-3x93-528x: Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13↗2022-05-24

▶

CVEList

CVE-2020-26406: Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13↗2020-11-17

▶

📋Vendor Advisories

GitLab

CVE-2020-26406: Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through G↗2020-11-17

▶

Debian

CVE-2020-26406: gitlab - Certain SAST CiConfiguration information could be viewed by unauthorized users i...↗2020

▶