Lucene search

Https://gitlab.com/gitlab-org/security-products/gemnasium-dbGITLAB-F20B376C419980FFDC7D01633E0E085E

HistoryAug 14, 2020 - 12:00 a.m.

Path Traversal

2020-08-1400:00:00

https://gitlab.com/gitlab-org/security-products/gemnasium-db

gitlab.com

path traversal

security issue

user input validation

unauthorized access

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.003

Percentile

65.6%

JSON

The resolveRepositoryPath function does not properly validate user input and a malicious user may traverse to any valid Git repository outside the repoRoot. This issue may lead to unauthorized access of private Git repositories as long as the malicious user knows or brute-forces the location of the repository.

Affected configurations

Vulners

Node

npmgit-serverRange<1.3.1

VendorProductVersionCPE
npmgit-server*cpe:2.3:a:npm:git-server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
npm	git-server	*	cpe:2.3:a:npm:git-server::::::::

References

nvd.nist.gov/vuln/detail/CVE-2020-9708

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.003

Percentile

65.6%

JSON

Related for GITLAB-F20B376C419980FFDC7D01633E0E085E