Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
archlinuxArchLinuxASA-202102-11
HistoryFeb 06, 2021 - 12:00 a.m.

[ASA-202102-11] gitlab: information disclosure

2021-02-0600:00:00
security.archlinux.org
77
gitlab
version 13.8.2
information disclosure
private project
guest user
releases page
cve-2021-22172

CVSS2

4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

34.4%

JSON

Arch Linux Security Advisory ASA-202102-11

Severity: Medium
Date : 2021-02-06
CVE-ID : CVE-2021-22172
Package : gitlab
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-1521

Summary

The package gitlab before version 13.8.2-1 is vulnerable to information
disclosure.

Resolution

Upgrade to 13.8.2-1.

pacman -Syu “gitlab>=13.8.2-1”

The problem has been fixed upstream in version 13.8.2.

Workaround

None.

Description

Improper authorization in GitLab 12.8+ allows a guest user in a private
project to view tag data that should be inaccessible on the releases
page. The issue is fixed in versions 13.8.2, 13.7.6 and 13.6.6.

Impact

A guest user can view tag data that should be inaccessible on the
releases page of a private project.

References

https://about.gitlab.com/blog/2021/02/01/security-release-gitlab-13-8-2-released/
https://about.gitlab.com/blog/2021/02/01/security-release-gitlab-13-8-2-released/#guest-user-can-see-tag-names-in-private-projects
https://gitlab.com/gitlab-org/gitlab-foss/-/commit/41b1c0469dba622a1c2c67c17f1f5e491573accf
https://security.archlinux.org/CVE-2021-22172

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanygitlab< 13.8.2-1UNKNOWN

Related

prion 1
osv 2
veracode 1
debiancve 1
nessus 2
cvelist 1
cve 1
ubuntucve 1
nvd 1
freebsd 1
prion
prion
Authorization
2021-03-26 20:15:00
osv
osv
CVE-2021-22172
2021-03-26 20:15:12
BIT-gitlab-2021-22172
2024-03-06 11:20:37
veracode
veracode
Improper Authorization
2023-08-06 14:24:33
debiancve
debiancve
CVE-2021-22172
2021-03-26 20:15:12
nessus
nessus
GitLab 12.8 < 13.6.6 / 13.7.0 < 13.7.6 / 13.8.0 < 13.8.2 (CVE-2021-22172)
2024-05-17 00:00:00
FreeBSD : Gitlab -- Multiple vulnerabilities (66d1c277-652a-11eb-bb3f-001b217b3468)
2021-02-04 00:00:00
cvelist
cvelist
CVE-2021-22172
2021-03-26 19:06:48
cve
cve
CVE-2021-22172
2021-03-26 20:15:12
ubuntucve
ubuntucve
CVE-2021-22172
2021-03-26 00:00:00
nvd
nvd
CVE-2021-22172
2021-03-26 20:15:12
freebsd
freebsd
Gitlab -- Multiple vulnerabilities
2021-02-01 00:00:00

CVSS2

4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

34.4%

JSON
Related for ASA-202102-11
prion1osv2veracode1debiancve1nessus2cvelist1cve1ubuntucve1nvd1freebsd1