All the vulnerabilites related to GitLab - GitLab EE
cve-2020-26412
Vulnerability from cvelistv5
Published
2020-12-11 03:51
Modified
2024-08-04 15:56
Severity ?
EPSS score ?
Summary
Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2 before 13.6.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/228670 | x_refsource_MISC | |
| https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26412.json | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:04.357Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/228670"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26412.json"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab EE",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "\u003e=13.2, \u003c13.4.7"
},
{
"status": "affected",
"version": "\u003e=13.5, \u003c13.5.5"
},
{
"status": "affected",
"version": "\u003e=13.6, \u003c13.6.2"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This vulnerability has been discovered internally by the GitLab team"
}
],
"descriptions": [
{
"lang": "en",
"value": "Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2 before 13.6.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information exposure in GitLab EE",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-11T03:51:02",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/228670"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26412.json"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@gitlab.com",
"ID": "CVE-2020-26412",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab EE",
"version": {
"version_data": [
{
"version_value": "\u003e=13.2, \u003c13.4.7"
},
{
"version_value": "\u003e=13.5, \u003c13.5.5"
},
{
"version_value": "\u003e=13.6, \u003c13.6.2"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This vulnerability has been discovered internally by the GitLab team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2 before 13.6.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information exposure in GitLab EE"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gitlab.com/gitlab-org/gitlab/-/issues/228670",
"refsource": "MISC",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/228670"
},
{
"name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26412.json",
"refsource": "CONFIRM",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26412.json"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2020-26412",
"datePublished": "2020-12-11T03:51:02",
"dateReserved": "2020-10-01T00:00:00",
"dateUpdated": "2024-08-04T15:56:04.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-13349
Vulnerability from cvelistv5
Published
2020-11-17 18:22
Modified
2024-08-04 12:18
Severity ?
EPSS score ?
Summary
An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are >=8.12, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/257497 | x_refsource_MISC | |
| https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13349.json | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:18:17.565Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/257497"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13349.json"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab EE",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "\u003e=8.12"
},
{
"status": "affected",
"version": "\u003c13.3.9"
},
{
"status": "affected",
"version": "\u003e=13.4"
},
{
"status": "affected",
"version": "\u003c13.4.5"
},
{
"status": "affected",
"version": "\u003e=13.5"
},
{
"status": "affected",
"version": "\u003c13.5.2"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This vulnerability has been discovered internally by the GitLab team"
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are \u003e=8.12, \u003c13.3.9,\u003e=13.4, \u003c13.4.5,\u003e=13.5, \u003c13.5.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Uncontrolled resource consumption in GitLab",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-17T18:22:32",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/257497"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13349.json"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@gitlab.com",
"ID": "CVE-2020-13349",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab EE",
"version": {
"version_data": [
{
"version_value": "\u003e=8.12"
},
{
"version_value": "\u003c13.3.9"
},
{
"version_value": "\u003e=13.4"
},
{
"version_value": "\u003c13.4.5"
},
{
"version_value": "\u003e=13.5"
},
{
"version_value": "\u003c13.5.2"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This vulnerability has been discovered internally by the GitLab team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are \u003e=8.12, \u003c13.3.9,\u003e=13.4, \u003c13.4.5,\u003e=13.5, \u003c13.5.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Uncontrolled resource consumption in GitLab"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gitlab.com/gitlab-org/gitlab/-/issues/257497",
"refsource": "MISC",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/257497"
},
{
"name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13349.json",
"refsource": "CONFIRM",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13349.json"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2020-13349",
"datePublished": "2020-11-17T18:22:32",
"dateReserved": "2020-05-21T00:00:00",
"dateUpdated": "2024-08-04T12:18:17.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-15590
Vulnerability from cvelistv5
Published
2020-01-28 02:31
Modified
2024-08-05 00:49
Severity ?
EPSS score ?
Summary
An access control issue exists in < 12.3.5, < 12.2.8, and < 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration
References
| ▼ | URL | Tags |
|---|---|---|
| https://hackerone.com/reports/701144 | x_refsource_MISC | |
| https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:49:13.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/701144"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab EE",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "before 12.3.5"
},
{
"status": "affected",
"version": "before 12.2.8"
},
{
"status": "affected",
"version": "before 12.1.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An access control issue exists in \u003c 12.3.5, \u003c 12.2.8, and \u003c 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control - Generic (CWE-284)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-28T02:31:05",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/701144"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2019-15590",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab EE",
"version": {
"version_data": [
{
"version_value": "before 12.3.5"
},
{
"version_value": "before 12.2.8"
},
{
"version_value": "before 12.1.14"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An access control issue exists in \u003c 12.3.5, \u003c 12.2.8, and \u003c 12.1.14 for GitLab Community Edition (CE) and Enterprise Edition (EE) where private merge requests and issues would be disclosed with the Group Search feature provided by Elasticsearch integration"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control - Generic (CWE-284)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/701144",
"refsource": "MISC",
"url": "https://hackerone.com/reports/701144"
},
{
"name": "https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/",
"refsource": "MISC",
"url": "https://about.gitlab.com/releases/2019/10/07/security-release-gitlab-12-dot-3-dot-5-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2019-15590",
"datePublished": "2020-01-28T02:31:05",
"dateReserved": "2019-08-26T00:00:00",
"dateUpdated": "2024-08-05T00:49:13.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-5474
Vulnerability from cvelistv5
Published
2020-01-28 02:29
Modified
2024-08-04 19:54
Severity ?
EPSS score ?
Summary
An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ | x_refsource_MISC | |
| https://hackerone.com/reports/544756 | x_refsource_MISC | |
| https://gitlab.com/gitlab-org/gitlab-ee/issues/11423 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:54:53.488Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/544756"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/gitlab-ee/issues/11423"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab EE",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "before 12.1.2"
},
{
"status": "affected",
"version": "before 12.0.4"
},
{
"status": "affected",
"version": "before 11.11.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An authorization issue was discovered in GitLab EE \u003c 12.1.2, \u003c 12.0.4, and \u003c 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control - Generic (CWE-284)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-28T02:29:38",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/544756"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gitlab.com/gitlab-org/gitlab-ee/issues/11423"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2019-5474",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab EE",
"version": {
"version_data": [
{
"version_value": "before 12.1.2"
},
{
"version_value": "before 12.0.4"
},
{
"version_value": "before 11.11.6"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An authorization issue was discovered in GitLab EE \u003c 12.1.2, \u003c 12.0.4, and \u003c 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control - Generic (CWE-284)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/",
"refsource": "MISC",
"url": "https://about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/"
},
{
"name": "https://hackerone.com/reports/544756",
"refsource": "MISC",
"url": "https://hackerone.com/reports/544756"
},
{
"name": "https://gitlab.com/gitlab-org/gitlab-ee/issues/11423",
"refsource": "MISC",
"url": "https://gitlab.com/gitlab-org/gitlab-ee/issues/11423"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2019-5474",
"datePublished": "2020-01-28T02:29:38",
"dateReserved": "2019-01-04T00:00:00",
"dateUpdated": "2024-08-04T19:54:53.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-15581
Vulnerability from cvelistv5
Published
2020-01-28 02:43
Modified
2024-08-05 00:49
Severity ?
EPSS score ?
Summary
An IDOR exists in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules.
References
| ▼ | URL | Tags |
|---|---|---|
| https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ | x_refsource_MISC | |
| https://hackerone.com/reports/518995 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:49:13.763Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/518995"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab EE",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "before 12.3.2"
},
{
"status": "affected",
"version": "before 12.2.6"
},
{
"status": "affected",
"version": "before 12.1.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An IDOR exists in \u003c 12.3.2, \u003c 12.2.6, and \u003c 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Insecure Direct Object Reference (IDOR) (CWE-639)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-28T02:43:00",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/518995"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2019-15581",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab EE",
"version": {
"version_data": [
{
"version_value": "before 12.3.2"
},
{
"version_value": "before 12.2.6"
},
{
"version_value": "before 12.1.12"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An IDOR exists in \u003c 12.3.2, \u003c 12.2.6, and \u003c 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a project owner or maintainer to see the members of any private group via merge request approval rules."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Direct Object Reference (IDOR) (CWE-639)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/",
"refsource": "MISC",
"url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/"
},
{
"name": "https://hackerone.com/reports/518995",
"refsource": "MISC",
"url": "https://hackerone.com/reports/518995"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2019-15581",
"datePublished": "2020-01-28T02:43:00",
"dateReserved": "2019-08-26T00:00:00",
"dateUpdated": "2024-08-05T00:49:13.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-26416
Vulnerability from cvelistv5
Published
2020-12-11 03:34
Modified
2024-08-04 15:56
Severity ?
EPSS score ?
Summary
Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/244495 | x_refsource_MISC | |
| https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:04.341Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/244495"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab EE",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "\u003e=8.4 to \u003c13.4.7"
},
{
"status": "affected",
"version": "\u003e=13.5 to \u003c13.5.5"
},
{
"status": "affected",
"version": "\u003e=13.6 to \u003c13.6.2"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This vulnerability has been discovered internally by the GitLab team"
}
],
"descriptions": [
{
"lang": "en",
"value": "Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions \u003e=8.4 to \u003c13.4.7, \u003e=13.5 to \u003c13.5.5, and \u003e=13.6 to \u003c13.6.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information exposure in GitLab EE",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-11T03:34:03",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/244495"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@gitlab.com",
"ID": "CVE-2020-26416",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab EE",
"version": {
"version_data": [
{
"version_value": "\u003e=8.4 to \u003c13.4.7"
},
{
"version_value": "\u003e=13.5 to \u003c13.5.5"
},
{
"version_value": "\u003e=13.6 to \u003c13.6.2"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This vulnerability has been discovered internally by the GitLab team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions \u003e=8.4 to \u003c13.4.7, \u003e=13.5 to \u003c13.5.5, and \u003e=13.6 to \u003c13.6.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information exposure in GitLab EE"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gitlab.com/gitlab-org/gitlab/-/issues/244495",
"refsource": "MISC",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/244495"
},
{
"name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json",
"refsource": "CONFIRM",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2020-26416",
"datePublished": "2020-12-11T03:34:03",
"dateReserved": "2020-10-01T00:00:00",
"dateUpdated": "2024-08-04T15:56:04.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-22240
Vulnerability from cvelistv5
Published
2021-08-05 19:25
Modified
2024-08-03 18:37
Severity ?
EPSS score ?
Summary
Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be created via single sign on despite user cap being enabled
References
| ▼ | URL | Tags |
|---|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/327641 | x_refsource_MISC | |
| https://hackerone.com/reports/1166566 | x_refsource_MISC | |
| https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22240.json | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:37:18.341Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/327641"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1166566"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22240.json"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab EE",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "\u003e=13.7, \u003c13.11.6"
},
{
"status": "affected",
"version": "\u003e=13.12, \u003c13.12.6"
},
{
"status": "affected",
"version": "\u003e=14.0, \u003c14.0.2"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks bingomzan for reporting this vulnerability through our HackerOne bug bounty program"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be created via single sign on despite user cap being enabled"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper access control in GitLab EE",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-05T19:25:09",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/327641"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1166566"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22240.json"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@gitlab.com",
"ID": "CVE-2021-22240",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab EE",
"version": {
"version_data": [
{
"version_value": "\u003e=13.7, \u003c13.11.6"
},
{
"version_value": "\u003e=13.12, \u003c13.12.6"
},
{
"version_value": "\u003e=14.0, \u003c14.0.2"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks bingomzan for reporting this vulnerability through our HackerOne bug bounty program"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper access control in GitLab EE versions 13.11.6, 13.12.6, and 14.0.2 allows users to be created via single sign on despite user cap being enabled"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper access control in GitLab EE"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gitlab.com/gitlab-org/gitlab/-/issues/327641",
"refsource": "MISC",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/327641"
},
{
"name": "https://hackerone.com/reports/1166566",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1166566"
},
{
"name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22240.json",
"refsource": "CONFIRM",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22240.json"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2021-22240",
"datePublished": "2021-08-05T19:25:09",
"dateReserved": "2021-01-05T00:00:00",
"dateUpdated": "2024-08-03T18:37:18.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-26406
Vulnerability from cvelistv5
Published
2020-11-17 00:13
Modified
2024-08-04 15:56
Severity ?
EPSS score ?
Summary
Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: >=13.3, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/244921 | x_refsource_MISC | |
| https://hackerone.com/reports/965602 | x_refsource_MISC | |
| https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26406.json | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:04.397Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/244921"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/965602"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26406.json"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab EE",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "\u003e=13.3, \u003c13.3.9"
},
{
"status": "affected",
"version": "\u003e=13.4, \u003c13.4.5"
},
{
"status": "affected",
"version": "\u003e=13.5, \u003c13.5.2"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks [ashish_r_padelkar](https://hackerone.com/ashish_r_padelkar) for reporting this vulnerability through our HackerOne bug bounty program"
}
],
"descriptions": [
{
"lang": "en",
"value": "Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: \u003e=13.3, \u003c13.3.9,\u003e=13.4, \u003c13.4.5,\u003e=13.5, \u003c13.5.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information exposure in GitLab EE",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-17T00:13:19",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/244921"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/965602"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26406.json"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@gitlab.com",
"ID": "CVE-2020-26406",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab EE",
"version": {
"version_data": [
{
"version_value": "\u003e=13.3, \u003c13.3.9"
},
{
"version_value": "\u003e=13.4, \u003c13.4.5"
},
{
"version_value": "\u003e=13.5, \u003c13.5.2"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks [ashish_r_padelkar](https://hackerone.com/ashish_r_padelkar) for reporting this vulnerability through our HackerOne bug bounty program"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: \u003e=13.3, \u003c13.3.9,\u003e=13.4, \u003c13.4.5,\u003e=13.5, \u003c13.5.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information exposure in GitLab EE"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gitlab.com/gitlab-org/gitlab/-/issues/244921",
"refsource": "MISC",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/244921"
},
{
"name": "https://hackerone.com/reports/965602",
"refsource": "MISC",
"url": "https://hackerone.com/reports/965602"
},
{
"name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26406.json",
"refsource": "CONFIRM",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26406.json"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2020-26406",
"datePublished": "2020-11-17T00:13:19",
"dateReserved": "2020-10-01T00:00:00",
"dateUpdated": "2024-08-04T15:56:04.397Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-15582
Vulnerability from cvelistv5
Published
2020-01-28 02:36
Modified
2024-08-05 00:49
Severity ?
EPSS score ?
Summary
An IDOR was discovered in < 12.3.2, < 12.2.6, and < 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment.
References
| ▼ | URL | Tags |
|---|---|---|
| https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/ | x_refsource_MISC | |
| https://hackerone.com/reports/566216 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:49:13.762Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/566216"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab EE",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "before 12.3.2"
},
{
"status": "affected",
"version": "before 12.2.6"
},
{
"status": "affected",
"version": "before 12.1.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An IDOR was discovered in \u003c 12.3.2, \u003c 12.2.6, and \u003c 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Insecure Direct Object Reference (IDOR) (CWE-639)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-28T02:36:05",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/566216"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2019-15582",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab EE",
"version": {
"version_data": [
{
"version_value": "before 12.3.2"
},
{
"version_value": "before 12.2.6"
},
{
"version_value": "before 12.1.12"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An IDOR was discovered in \u003c 12.3.2, \u003c 12.2.6, and \u003c 12.1.12 for GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed a maintainer to add any private group to a protected environment."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Direct Object Reference (IDOR) (CWE-639)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/",
"refsource": "MISC",
"url": "https://about.gitlab.com/blog/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/"
},
{
"name": "https://hackerone.com/reports/566216",
"refsource": "MISC",
"url": "https://hackerone.com/reports/566216"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2019-15582",
"datePublished": "2020-01-28T02:36:05",
"dateReserved": "2019-08-26T00:00:00",
"dateUpdated": "2024-08-05T00:49:13.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-13348
Vulnerability from cvelistv5
Published
2020-11-17 18:11
Modified
2024-08-04 12:18
Severity ?
EPSS score ?
Summary
An issue has been discovered in GitLab EE affecting all versions starting from 10.2. Required CODEOWNERS approval could be bypassed by targeting a branch without the CODEOWNERS file. Affected versions are >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://gitlab.com/gitlab-org/gitlab/-/issues/246928 | x_refsource_MISC | |
| https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13348.json | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:18:17.574Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/246928"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13348.json"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitLab EE",
"vendor": "GitLab",
"versions": [
{
"status": "affected",
"version": "\u003e=10.2, \u003c13.3.9"
},
{
"status": "affected",
"version": "\u003e=13.4, \u003c13.4.5"
},
{
"status": "affected",
"version": "\u003e=13.5, \u003c13.5.2"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This vulnerability has been discovered internally by the GitLab team"
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue has been discovered in GitLab EE affecting all versions starting from 10.2. Required CODEOWNERS approval could be bypassed by targeting a branch without the CODEOWNERS file. Affected versions are \u003e=10.2, \u003c13.3.9,\u003e=13.4, \u003c13.4.5,\u003e=13.5, \u003c13.5.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper authorization in GitLab EE",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-17T18:11:51",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/246928"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13348.json"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@gitlab.com",
"ID": "CVE-2020-13348",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitLab EE",
"version": {
"version_data": [
{
"version_value": "\u003e=10.2, \u003c13.3.9"
},
{
"version_value": "\u003e=13.4, \u003c13.4.5"
},
{
"version_value": "\u003e=13.5, \u003c13.5.2"
}
]
}
}
]
},
"vendor_name": "GitLab"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This vulnerability has been discovered internally by the GitLab team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue has been discovered in GitLab EE affecting all versions starting from 10.2. Required CODEOWNERS approval could be bypassed by targeting a branch without the CODEOWNERS file. Affected versions are \u003e=10.2, \u003c13.3.9,\u003e=13.4, \u003c13.4.5,\u003e=13.5, \u003c13.5.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper authorization in GitLab EE"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gitlab.com/gitlab-org/gitlab/-/issues/246928",
"refsource": "MISC",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/246928"
},
{
"name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13348.json",
"refsource": "CONFIRM",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13348.json"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2020-13348",
"datePublished": "2020-11-17T18:11:51",
"dateReserved": "2020-05-21T00:00:00",
"dateUpdated": "2024-08-04T12:18:17.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}