CVE-2020-13350

Published: Nov 17, 2020Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who's able to target GitLab instance administrators to pause/resume runners. Affected versions are >=13.5.0, <13.5.2,>=13.4.0, <13.4.5,<13.3.9.

Affected (6)

Products: Gitlab: Gitlab

1 product

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	Before 13.3.9
Gitlab Gitlab	From 13.4.0 to 13.4.5
Gitlab Gitlab	From 13.5.0 to 13.5.2
Gitlab Gitlab	Before 13.3.9
Gitlab Gitlab	From 13.4.0 to 13.4.5
Gitlab Gitlab	From 13.5.0 to 13.5.2

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (6)

https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13350.json

Source: cve@gitlab.com

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/24416

Source: cve@gitlab.com

Broken Link

https://hackerone.com/reports/415238

Source: cve@gitlab.com

Permissions RequiredThird Party Advisory

https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13350.json

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/24416

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://hackerone.com/reports/415238

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredThird Party Advisory

Timeline

No history available yet.