vulnerability
FreeBSD: VID-174E466B-1D48-11EB-BD0F-001B217B3468 (CVE-2020-13350): Gitlab -- Multiple vulnerabilities
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:N/I:N/A:P) | Nov 2, 2020 | Nov 3, 2020 | Dec 16, 2020 |
Description
Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.
From VID-174E466B-1D48-11EB-BD0F-001B217B3468:
Gitlab reports:
Path Traversal in LFS Upload
Path traversal allows saving packages in arbitrary location
Kubernetes agent API leaks private repos
Terraform state deletion API exposes object storage URL
Stored-XSS in error message of build-dependencies
Git credentials persisted on disk
Potential Denial of service via container registry
Info leak when group is transferred from private to public group
Limited File Disclosure Via Multipart Bypass
Unauthorized user is able to access scheduled pipeline variables and values
CSRF in runner administration page allows an attacker to pause/resume runners
Regex backtracking attack in path parsing of Advanced Search result
Bypass of required CODEOWNERS approval
SAST CiConfiguration information visible without permissions
Solution
References
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.