ByteOS Network

Vulnerability Details :

CVE-2020-13293

Summary

Assigner-GitLab

Assigner Org ID-ceab7361-8a18-47b1-92ba-4d7d25f6715a

Published At-10 Aug, 2020 | 13:28

Updated At-04 Aug, 2024 | 12:11

In GitLab before 13.0.12, 13.1.6 and 13.2.3 using a branch with a hexadecimal name could override an existing hash.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:GitLab

Assigner Org ID:ceab7361-8a18-47b1-92ba-4d7d25f6715a

Published At:10 Aug, 2020 | 13:28

Updated At:04 Aug, 2024 | 12:11

▼CVE Numbering Authority (CNA)

In GitLab before 13.0.12, 13.1.6 and 13.2.3 using a branch with a hexadecimal name could override an existing hash.

Affected Products

Vendor

GitLab Inc.

Product

GitLab

Versions

Affected

>=1.0, <13.0.12
>=13.1, <13.1.6
>=13.2, <13.2.3

Problem Types

Type	CWE ID	Description
text	N/A	Access of resource using incompatible type ('type confusion') in GitLab

Type: text

CWE ID: N/A

Description: Access of resource using incompatible type ('type confusion') in GitLab

Metrics

Version	Base score	Base severity	Vector
3.1	6.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L

Version: 3.1

Base score: 6.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L

Credits

Thanks [@retroplasma](https://hackerone.com/retroplasma) for reporting this vulnerability through our HackerOne bug bounty program

References

Hyperlink	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/202690	x_refsource_MISC
https://hackerone.com/reports/790634	x_refsource_MISC
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13293.json	x_refsource_CONFIRM

Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/issues/202690

Resource:

x_refsource_MISC

Hyperlink: https://hackerone.com/reports/790634

Resource:

x_refsource_MISC

Hyperlink: https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13293.json

Resource:

x_refsource_CONFIRM

▼Authorized Data Publishers (ADP)

CVE Program Container

References

Hyperlink	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/202690	x_refsource_MISC x_transferred
https://hackerone.com/reports/790634	x_refsource_MISC x_transferred
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13293.json	x_refsource_CONFIRM x_transferred

Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/issues/202690

Resource:

x_refsource_MISC

x_transferred

Hyperlink: https://hackerone.com/reports/790634

Resource:

x_refsource_MISC

x_transferred

Hyperlink: https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13293.json

Resource:

x_refsource_CONFIRM

x_transferred

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:cve@gitlab.com

Published At:10 Aug, 2020 | 14:15

Updated At:21 Jul, 2021 | 11:39

In GitLab before 13.0.12, 13.1.6 and 13.2.3 using a branch with a hexadecimal name could override an existing hash.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	7.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Secondary	3.1	6.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L
Primary	2.0	5.5	MEDIUM	AV:N/AC:L/Au:S/C:N/I:P/A:P

Type: Primary

Version: 3.1

Base score: 7.1

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Type: Secondary

Version: 3.1

Base score: 6.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L

Type: Primary

Version: 2.0

Base score: 5.5

Base severity: MEDIUM

Vector:

AV:N/AC:L/Au:S/C:N/I:P/A:P

CPE Matches

GitLab Inc.

>>gitlab>>Versions from 1.0.0(inclusive) to 13.0.12(exclusive)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*

GitLab Inc.

>>gitlab>>Versions from 13.1.0(inclusive) to 13.1.6(exclusive)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*

GitLab Inc.

>>gitlab>>Versions from 13.2.0(inclusive) to 13.2.3(exclusive)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
NVD-CWE-noinfo	Primary	nvd@nist.gov

CWE ID: NVD-CWE-noinfo

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13293.json	cve@gitlab.com	Third Party Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/202690	cve@gitlab.com	Broken Link
https://hackerone.com/reports/790634	cve@gitlab.com	Permissions Required Third Party Advisory

Hyperlink: https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13293.json

Source: cve@gitlab.com

Resource:

Third Party Advisory

Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/issues/202690

Source: cve@gitlab.com

Resource:

Broken Link

Hyperlink: https://hackerone.com/reports/790634

Source: cve@gitlab.com

Resource:

Permissions Required

Third Party Advisory

Similar CVEs

8Records found

CVE-2018-18647

Matching Score-8

Assigner-MITRE Corporation

View Details

Matching Score-8

Assigner-MITRE Corporation

CVSS Score-6.5||MEDIUM

EPSS-0.08% / 24.77%

7 Day CHG~0.00%

Published-04 Dec, 2018 | 23:00

Updated-05 Aug, 2024 | 11:16

An issue was discovered in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It has Missing Authorization.

Vendor-n/a GitLab Inc.

Product-gitlab n/a

CWE ID-CWE-862

Missing Authorization

CVE-2020-13325

Matching Score-8

Assigner-GitLab Inc.

View Details

Matching Score-8

Assigner-GitLab Inc.

CVSS Score-7.1||HIGH

EPSS-0.15% / 35.89%

7 Day CHG~0.00%

Published-29 Sep, 2020 | 18:33

Updated-04 Aug, 2024 | 12:18

A vulnerability was discovered in GitLab versions prior 13.1. The comment section of the issue page was not restricting the characters properly, potentially resulting in a denial of service.

Vendor-GitLab Inc.

Product-gitlab GitLab

CVE-2021-22179

Matching Score-8

Assigner-GitLab Inc.

View Details

Matching Score-8

Assigner-GitLab Inc.

CVSS Score-5.4||MEDIUM

EPSS-0.31% / 53.55%

7 Day CHG~0.00%

Published-24 Mar, 2021 | 16:48

Updated-03 Aug, 2024 | 18:37

A vulnerability was discovered in GitLab versions before 12.2. GitLab was vulnerable to a SSRF attack through the Outbound Requests feature.

Vendor-GitLab Inc.

Product-gitlab GitLab

CWE ID-CWE-918

Server-Side Request Forgery (SSRF)

CVE-2020-13355

Matching Score-8

Assigner-GitLab Inc.

View Details

Matching Score-8

Assigner-GitLab Inc.

CVSS Score-7.5||HIGH

EPSS-0.33% / 55.55%

7 Day CHG~0.00%

Published-18 Nov, 2020 | 23:30

Updated-04 Aug, 2024 | 12:18

An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. Affected versions are: >=8.14, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.

Vendor-GitLab Inc.

Product-gitlab GitLab CE/EE

CWE ID-CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVE-2019-5469

Matching Score-8

Assigner-HackerOne

View Details

Matching Score-8

Assigner-HackerOne

CVSS Score-6.5||MEDIUM

EPSS-0.10% / 28.55%

7 Day CHG~0.00%

Published-18 Dec, 2019 | 20:59

Updated-04 Aug, 2024 | 19:54

An IDOR vulnerability exists in GitLab <v12.1.2, <v12.0.4, and <v11.11.6 that allowed uploading files from project archive to replace other users files potentially allowing an attacker to replace project binaries or other uploaded assets.

Vendor-n/a GitLab Inc.

Product-gitlab GitLab

CWE ID-CWE-639

Authorization Bypass Through User-Controlled Key

CVE-2019-18446

Matching Score-8

Assigner-MITRE Corporation

View Details

Matching Score-8

Assigner-MITRE Corporation

CVSS Score-4.3||MEDIUM

EPSS-0.07% / 20.54%

7 Day CHG~0.00%

Published-26 Nov, 2019 | 16:50

Updated-05 Aug, 2024 | 01:54

An issue was discovered in GitLab Community and Enterprise Edition 8.15 through 12.4. It has Insecure Permissions (issue 1 of 2).

Vendor-n/a GitLab Inc.

Product-gitlab n/a

CWE ID-CWE-732

Incorrect Permission Assignment for Critical Resource

CVE-2022-4205

Matching Score-8

Assigner-GitLab Inc.

View Details

Matching Score-8

Assigner-GitLab Inc.

CVSS Score-6.3||MEDIUM

EPSS-0.03% / 5.13%

7 Day CHG~0.00%

Published-27 Jan, 2023 | 00:00

Updated-27 Mar, 2025 | 21:15

In Gitlab EE/CE before 15.6.1, 15.5.5 and 15.4.6 using a branch with a hexadecimal name could override an existing hash.

Vendor-GitLab Inc.

Product-gitlab GitLab

CWE ID-CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

CVE-2020-26405

Matching Score-8

Assigner-GitLab Inc.

View Details

Matching Score-8

Assigner-GitLab Inc.

CVSS Score-7.1||HIGH

EPSS-0.54% / 66.74%

7 Day CHG~0.00%

Published-17 Nov, 2020 | 18:26

Updated-04 Aug, 2024 | 15:56

Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are >=12.8, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.

Vendor-GitLab Inc.

Product-gitlab GitLab CE/EE

CWE ID-CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVE-2020-13293

Credits

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs