ByteOS Network

NVD Vulnerability Details :

CVE-2017-0920

Modified

Source-support@hackerone.com

Published At-22 Mar, 2018 | 15:29

Updated At-03 Oct, 2019 | 00:03

GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab instance.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.0	4.3	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary	2.0	4.0	MEDIUM	AV:N/AC:L/Au:S/C:P/I:N/A:N

CPE Matches

GitLab Inc.

>>gitlab>>Versions between 8.8.0(exclusive) and 10.1.5(inclusive)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*

GitLab Inc.

>>gitlab>>Versions from 8.8.0(inclusive) to 10.1.5(inclusive)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

GitLab Inc.

>>gitlab>>Versions between 10.2.0(exclusive) and 10.2.5(inclusive)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*

GitLab Inc.

>>gitlab>>Versions from 10.2.0(inclusive) to 10.2.5(inclusive)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

GitLab Inc.

>>gitlab>>Versions between 10.3.0(exclusive) and 10.3.3(inclusive)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*

GitLab Inc.

>>gitlab>>Versions from 10.3.0(inclusive) to 10.3.3(inclusive)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-863	Primary	nvd@nist.gov
CWE-639	Secondary	support@hackerone.com

References

Hyperlink	Source	Resource
https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/	support@hackerone.com	Vendor Advisory
https://hackerone.com/reports/301336	support@hackerone.com	Permissions Required
https://www.debian.org/security/2018/dsa-4206	support@hackerone.com	N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History