Gitaly up to 13.3.8/13.4.4/13.5.1 Import information disclosure

Summaryinfo

A vulnerability, which was classified as problematic, has been found in Gitaly up to 13.3.8/13.4.4/13.5.1. Affected by this vulnerability is an unknown functionality of the component Import Handler. Performing a manipulation results in information disclosure. This vulnerability was named CVE-2020-13353. The attack needs to be approached locally. There is no available exploit. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability classified as problematic has been found in Gitaly up to 13.3.8/13.4.4/13.5.1. This affects an unknown functionality of the component Import Handler. The manipulation with an unknown input leads to a information disclosure vulnerability. CWE is classifying the issue as CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. This is going to have an impact on confidentiality.

The weakness was presented 11/17/2020. The advisory is shared at gitlab.com. This vulnerability is uniquely identified as CVE-2020-13353. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1592 for this issue.

Upgrading to version 13.3.9, 13.4.5 or 13.5.2 eliminates this vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Name

• Gitaly

Version

• 13.3.0
• 13.3.1
• 13.3.2
• 13.3.3
• 13.3.4
• 13.3.5
• 13.3.6
• 13.3.7
• 13.3.8
• 13.4.0
• 13.4.1
• 13.4.2
• 13.4.3
• 13.4.4
• 13.5.0
• 13.5.1

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion