Lucene search

Debian Security Bug TrackerDEBIANCVE:CVE-2020-13359

HistoryNov 19, 2020 - 12:15 a.m.

CVE-2020-13359

2020-11-1900:15:12

Debian Security Bug Tracker

security-tracker.debian.org

terraform api

gitlab ce

gitlab ee

signed url

malicious overwrite

object storage

audit

business controls

unix

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS3

7.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N

EPSS

0.001

Percentile

22.7%

JSON

The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. Affected versions are >=12.10, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.

OSVersionArchitecturePackageVersionFilename
Debian999allgitlab< 13.3.9-1gitlab_13.3.9-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	999	all	gitlab	< 13.3.9-1	gitlab_13.3.9-1_all.deb

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS3

7.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N

EPSS

0.001

Percentile

22.7%

JSON

Related for DEBIANCVE:CVE-2020-13359