Rapid7 Vulnerability & Exploit Database

FreeBSD: VID-174E466B-1D48-11EB-BD0F-001B217B3468 (CVE-2020-13354): Gitlab -- Multiple vulnerabilities

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

FreeBSD: VID-174E466B-1D48-11EB-BD0F-001B217B3468 (CVE-2020-13354): Gitlab -- Multiple vulnerabilities

Severity
4
CVSS
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Published
11/02/2020
Created
11/05/2020
Added
11/03/2020
Modified
12/16/2020

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From VID-174E466B-1D48-11EB-BD0F-001B217B3468:

Gitlab reports:

Path Traversal in LFS Upload

Path traversal allows saving packages in arbitrary location

Kubernetes agent API leaks private repos

Terraform state deletion API exposes object storage URL

Stored-XSS in error message of build-dependencies

Git credentials persisted on disk

Potential Denial of service via container registry

Info leak when group is transferred from private to public group

Limited File Disclosure Via Multipart Bypass

Unauthorized user is able to access scheduled pipeline variables and values

CSRF in runner administration page allows an attacker to pause/resume runners

Regex backtracking attack in path parsing of Advanced Search result

Bypass of required CODEOWNERS approval

SAST CiConfiguration information visible without permissions

Solution(s)

  • freebsd-upgrade-package-gitlab-ce

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;