Lucene search

RubySecRUBY:GITALY-2020-13353

HistoryMay 23, 2022 - 9:00 p.m.

Gitaly Insufficient Session Expiration vulnerability

2022-05-2321:00:00

RubySec

gitlab.com

gitaly

session expiration

repos importing

git credentials

security vulnerability

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

3.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

JSON

When importing repos via URL, one time use git credentials were persisted
beyond the expected time window in Gitaly 1.79.0 or above. Affected versions are:
>=1.79.0, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.

Affected configurations

Vulners

Node

rubygitalyRange13.3.0–13.3.9

rubygitalyRange13.4.0–13.4.5

rubygitalyRange≤13.5.2

VendorProductVersionCPE
rubygitaly*cpe:2.3:a:ruby:gitaly:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	gitaly	*	cpe:2.3:a:ruby:gitaly::::::::

References

gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13353.json

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

3.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

JSON

Related for RUBY:GITALY-2020-13353