Lucene search

[email protected]CVE-2020-13270

HistoryJun 10, 2020 - 3:15 p.m.

CVE-2020-13270

2020-06-1015:15:13

CWE-862

[email protected]

web.nvd.nist.gov

cve

2020

13270

gitlab

permission check

fork relation

api

guest users

nvd

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.4%

JSON

Missing permission check on fork relation creation in GitLab CE/EE 11.3 and later through 13.0.1 allows guest users to create a fork relation on restricted public projects via API

Affected configurations

NVD

Node

gitlabgitlabRange11.3.0–11.9.8community

gitlabgitlabRange11.3.0–12.9.8enterprise

gitlabgitlabRange12.10.0–12.10.7community

gitlabgitlabRange12.10.0–12.10.7enterprise

gitlabgitlabRange13.0.0–13.0.1community

gitlabgitlabRange13.0.0–13.0.1enterprise

CPENameOperatorVersion
gitlab:gitlabgitlablt11.9.8
gitlab:gitlabgitlablt12.9.8
gitlab:gitlabgitlablt12.10.7
gitlab:gitlabgitlablt13.0.1

CPE	Name	Operator	Version
gitlab:gitlab	gitlab	lt	11.9.8
gitlab:gitlab	gitlab	lt	12.9.8
gitlab:gitlab	gitlab	lt	12.10.7
gitlab:gitlab	gitlab	lt	13.0.1

CNA Affected

[
  {
    "product": "GitLab",
    "vendor": "GitLab",
    "versions": [
      {
        "status": "affected",
        "version": ">=11.3, <12.9.8"
      },
      {
        "status": "affected",
        "version": ">=12.10, <12.10.7"
      },
      {
        "status": "affected",
        "version": ">=13.0, <13.0.1"
      }
    ]
  }
]