CVE-2020-13355

2020-11-1823:30:25

GitLab

www.cve.org

gitlab

path traversal

vulnerability

lfs upload

server.

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.8

Confidence

High

EPSS

0.001

Percentile

44.7%

JSON

An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. Affected versions are: >=8.14, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.

CNA Affected

[
  {
    "product": "GitLab CE/EE",
    "vendor": "GitLab",
    "versions": [
      {
        "status": "affected",
        "version": ">=8.14"
      },
      {
        "status": "affected",
        "version": "<13.3.9"
      },
      {
        "status": "affected",
        "version": ">=13.4"
      },
      {
        "status": "affected",
        "version": "<13.4.5"
      },
      {
        "status": "affected",
        "version": ">=13.5"
      },
      {
        "status": "affected",
        "version": "<13.5.2"
      }
    ]
  }
]