CVE-2020-26412 — Sensitive Information Exposure in Gitlab

CWE-200 — Sensitive Information Exposure6 documents6 sources

Severity

4.3MEDIUMNVD

CNA3.1

EPSS

0.1%

top 67.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Gitlab EE

Timeline

PublishedDec 11

Latest updateMay 24

Description

Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2 before 13.6.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDgitlab/gitlab13.2.0 — 13.6.2

▶CVEListV5gitlab/gitlab_ee>=13.2, <13.4.7, >=13.5, <13.5.5, >=13.6, <13.6.2+2

🔴Vulnerability Details

GHSA

GHSA-66h6-4ppg-82p8: Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13↗2022-05-24

▶

OSV

CVE-2020-26412: Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13↗2020-12-11

▶

CVEList

CVE-2020-26412: Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13↗2020-12-11

▶

📋Vendor Advisories

GitLab

CVE-2020-26412: Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2 before↗2020-12-11

▶

Debian

CVE-2020-26412: gitlab - Removed group members were able to use the To-Do functionality to retrieve updat...↗2020

▶