CVE-2020-26412

Description

Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2 before 13.6.2.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected products

gitlab / GitLab EE>=13.2, <13.4.7 – >=13.2, <13.4.7
gitlab / GitLab EE>=13.5, <13.5.5 – >=13.5, <13.5.5
gitlab / GitLab EE>=13.6, <13.6.2 – >=13.6, <13.6.2

References

MISChttps://gitlab.com/gitlab-org/gitlab/-/issues/228670
MISChttps://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26412.json