CVE-2020-13355

Published: Nov 19, 2020Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. Affected versions are: >=8.14, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.

Affected (6)

Products: Gitlab: Gitlab

1 product

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 13.4.0 to 13.4.5
Gitlab Gitlab	From 13.5.0 to 13.5.2
Gitlab Gitlab	From 8.14.0 to 13.3.9
Gitlab Gitlab	From 13.4.0 to 13.4.5
Gitlab Gitlab	From 13.5.0 to 13.5.2
Gitlab Gitlab	From 8.14.0 to 13.3.9

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (6)

https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13355.json

Source: cve@gitlab.com

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/255886

Source: cve@gitlab.com

Broken Link

https://hackerone.com/reports/990800

Source: cve@gitlab.com

Permissions RequiredThird Party Advisory

https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13355.json

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/255886

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://hackerone.com/reports/990800

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredThird Party Advisory

Timeline

No history available yet.