Multiple vulnerabilities in GitLab



Published: 2021-01-08
Risk High
Patch available YES
Number of vulnerabilities 5
CVE ID CVE-2021-22166
CVE-2020-26414
CWE ID CWE-287
CWE-200
CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Gitlab Community Edition
Universal components / Libraries / Software for developers

GitLab Enterprise Edition
Universal components / Libraries / Software for developers

Vendor GitLab, Inc

Security Advisory

1) Improper Authentication

Risk: High

CVSSv3: 8.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests. A remote attacker can steal a user's API acces token through Gitlab pages, bypass the authentication process and gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.5.11, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.6, 11.6.7, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.4, 11.7.5, 11.7.6, 11.7.7, 11.7.8, 11.7.9, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.1, 11.8.2, 11.8.3, 11.8.4, 11.8.5, 11.8.6, 11.8.7, 11.8.8, 11.8.9, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.4, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.11, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.5, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.1, 11.11.2, 11.11.3, 11.11.4, 11.11.5, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.6, 12.0.8, 12.0.9, 12.0.10, 12.0.12, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.6, 12.1.8, 12.1.9, 12.1.10, 12.1.11, 12.1.12, 12.1.13, 12.1.14, 12.1.15, 12.1.16, 12.1.17, 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10, 12.2.11, 12.2.12, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7, 12.3.8, 12.3.9, 12.4.0, 12.4.1, 12.4.2, 12.4.3, 12.4.4, 12.4.5, 12.4.6, 12.4.7, 12.4.8, 12.5.0, 12.5.1, 12.5.2, 12.5.3, 12.5.4, 12.5.5, 12.5.6, 12.5.7, 12.5.9, 12.5.10, 12.6.0, 12.6.1, 12.6.2, 12.6.3, 12.6.4, 12.6.6, 12.6.7, 12.6.8, 12.7.0, 12.7.1, 12.7.2, 12.7.4, 12.7.5, 12.7.6, 12.7.7, 12.7.8, 12.7.9, 12.8.0, 12.8.1, 12.8.2, 12.8.3, 12.8.4, 12.8.5, 12.8.6, 12.8.7, 12.8.8, 12.8.9, 12.8.10, 12.9.0, 12.9.1, 12.9.2, 12.9.3, 12.9.4, 12.9.5, 12.9.6, 12.9.7, 12.9.8, 12.9.9, 12.9.10, 12.10.0, 12.10.1, 12.10.2, 12.10.3, 12.10.4, 12.10.5, 12.10.6, 12.10.7, 12.10.8, 12.10.9, 12.10.10, 12.10.11, 12.10.12, 12.10.13, 12.10.14, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.0.4, 13.0.5, 13.0.6, 13.0.7, 13.0.8, 13.0.9, 13.0.10, 13.0.12, 13.0.13, 13.0.14, 13.1.0, 13.1.1, 13.1.2, 13.1.3, 13.1.4, 13.1.5, 13.1.6, 13.1.7, 13.1.8, 13.1.9, 13.1.10, 13.1.11, 13.2.0, 13.2.1, 13.2.2, 13.2.3, 13.2.4, 13.2.5, 13.2.6, 13.2.7, 13.2.8, 13.2.9, 13.2.10, 13.3.0, 13.3.1, 13.3.2, 13.3.3, 13.3.4, 13.3.5, 13.3.6, 13.3.7, 13.3.8, 13.3.9, 13.4.0, 13.4.1, 13.4.2, 13.4.3, 13.4.4, 13.4.5, 13.4.6, 13.4.7, 13.5.0, 13.5.1, 13.5.2, 13.5.3, 13.5.4, 13.5.5, 13.6.0, 13.6.1, 13.6.2, 13.6.3, 13.7.0, 13.7.1

GitLab Enterprise Edition: 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.5, 11.5.8, 11.5.10, 11.5.11, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.4, 11.6.5, 11.6.8, 11.6.9, 11.6.10, 11.6.11, 11.7.0, 11.7.1, 11.7.2, 11.7.3, 11.7.5, 11.7.7, 11.7.8, 11.7.10, 11.7.11, 11.7.12, 11.8.0, 11.8.2, 11.8.3, 11.8.6, 11.8.7, 11.8.10, 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.2, 11.11.3, 11.11.4, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.6, 12.0.7, 12.0.9, 12.0.10, 12.0.12, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.9, 12.1.10, 12.1.12, 12.1.14, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.11, 12.3.0, 12.3.1, 12.3.2, 12.3.4, 12.3.7, 12.3.9, 12.4.0, 12.4.1, 12.4.2, 12.4.3, 12.4.5, 12.4.8, 12.5.0, 12.5.1, 12.5.3, 12.5.4, 12.5.5, 12.5.8, 12.5.9, 12.6.0, 12.6.1, 12.6.2, 12.6.4, 12.6.5, 12.6.6, 12.6.7, 12.7.0, 12.7.1, 12.7.2, 12.7.3, 12.7.4, 12.7.5, 12.7.9, 12.8.0, 12.8.1, 12.8.2, 12.8.3, 12.8.4, 12.8.5, 12.8.6, 12.8.7, 12.8.9, 12.8.10, 12.9.0, 12.9.1, 12.9.2, 12.9.3, 12.9.4, 12.9.5, 12.9.6, 12.9.8, 12.9.10, 12.10.0, 12.10.1, 12.10.2, 12.10.4, 12.10.5, 12.10.6, 12.10.7, 12.10.8, 12.10.11, 12.10.12, 12.10.13, 12.10.14, 13.0.0, 13.0.1, 13.0.3, 13.0.4, 13.0.6, 13.0.7, 13.0.8, 13.0.9, 13.0.10, 13.0.11, 13.0.12, 13.0.13, 13.0.14, 13.1.0, 13.1.1, 13.1.2, 13.1.3, 13.1.5, 13.1.6, 13.1.7, 13.1.8, 13.1.9, 13.1.10, 13.2.0, 13.2.2, 13.2.3, 13.2.4, 13.2.5, 13.2.6, 13.2.7, 13.2.8, 13.2.10, 13.3.0, 13.3.1, 13.3.2, 13.3.3, 13.3.4, 13.3.5, 13.3.6, 13.3.7, 13.3.8, 13.3.9, 13.4.0, 13.4.2, 13.4.3, 13.4.4, 13.4.5, 13.4.6, 13.4.7, 13.5.0, 13.5.1, 13.5.2, 13.5.3, 13.5.4, 13.5.5, 13.6.0, 13.6.1, 13.6.2, 13.6.3, 13.7.0, 13.7.1

CPE External links

https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

Risk: Medium

CVSSv3: 5.2 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: N/A

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. Incorrect headers within a specific project page allows attacker to have temporary read access to a public repository with project features restricted to only members.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.6, 12.1.8, 12.1.9, 12.1.10, 12.1.11, 12.1.12, 12.1.13, 12.1.14, 12.1.15, 12.1.16, 12.1.17, 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10, 12.2.11, 12.2.12, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7, 12.3.8, 12.3.9, 12.4.0, 12.4.1, 12.4.2, 12.4.3, 12.4.4, 12.4.5, 12.4.6, 12.4.7, 12.4.8, 12.5.0, 12.5.1, 12.5.2, 12.5.3, 12.5.4, 12.5.5, 12.5.6, 12.5.7, 12.5.9, 12.5.10, 12.6.0, 12.6.1, 12.6.2, 12.6.3, 12.6.4, 12.6.6, 12.6.7, 12.6.8, 12.7.0, 12.7.1, 12.7.2, 12.7.4, 12.7.5, 12.7.6, 12.7.7, 12.7.8, 12.7.9, 12.8.0, 12.8.1, 12.8.2, 12.8.3, 12.8.4, 12.8.5, 12.8.6, 12.8.7, 12.8.8, 12.8.9, 12.8.10, 12.9.0, 12.9.1, 12.9.2, 12.9.3, 12.9.4, 12.9.5, 12.9.6, 12.9.7, 12.9.8, 12.9.9, 12.9.10, 12.10.0, 12.10.1, 12.10.2, 12.10.3, 12.10.4, 12.10.5, 12.10.6, 12.10.7, 12.10.8, 12.10.9, 12.10.10, 12.10.11, 12.10.12, 12.10.13, 12.10.14, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.0.4, 13.0.5, 13.0.6, 13.0.7, 13.0.8, 13.0.9, 13.0.10, 13.0.12, 13.0.13, 13.0.14, 13.1.0, 13.1.1, 13.1.2, 13.1.3, 13.1.4, 13.1.5, 13.1.6, 13.1.7, 13.1.8, 13.1.9, 13.1.10, 13.1.11, 13.2.0, 13.2.1, 13.2.2, 13.2.3, 13.2.4, 13.2.5, 13.2.6, 13.2.7, 13.2.8, 13.2.9, 13.2.10, 13.3.0, 13.3.1, 13.3.2, 13.3.3, 13.3.4, 13.3.5, 13.3.6, 13.3.7, 13.3.8, 13.3.9, 13.4.0, 13.4.1, 13.4.2, 13.4.3, 13.4.4, 13.4.5, 13.4.6, 13.4.7, 13.5.0, 13.5.1, 13.5.2, 13.5.3, 13.5.4, 13.5.5, 13.6.0, 13.6.1, 13.6.2, 13.6.3, 13.7.0, 13.7.1

GitLab Enterprise Edition: 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.9, 12.1.10, 12.1.12, 12.1.14, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.11, 12.3.0, 12.3.1, 12.3.2, 12.3.4, 12.3.7, 12.3.9, 12.4.0, 12.4.1, 12.4.2, 12.4.3, 12.4.5, 12.4.8, 12.5.0, 12.5.1, 12.5.3, 12.5.4, 12.5.5, 12.5.8, 12.5.9, 12.6.0, 12.6.1, 12.6.2, 12.6.4, 12.6.5, 12.6.6, 12.6.7, 12.7.0, 12.7.1, 12.7.2, 12.7.3, 12.7.4, 12.7.5, 12.7.9, 12.8.0, 12.8.1, 12.8.2, 12.8.3, 12.8.4, 12.8.5, 12.8.6, 12.8.7, 12.8.9, 12.8.10, 12.9.0, 12.9.1, 12.9.2, 12.9.3, 12.9.4, 12.9.5, 12.9.6, 12.9.8, 12.9.10, 12.10.0, 12.10.1, 12.10.2, 12.10.4, 12.10.5, 12.10.6, 12.10.7, 12.10.8, 12.10.11, 12.10.12, 12.10.13, 12.10.14, 13.0.0, 13.0.1, 13.0.3, 13.0.4, 13.0.6, 13.0.7, 13.0.8, 13.0.9, 13.0.10, 13.0.11, 13.0.12, 13.0.13, 13.0.14, 13.1.0, 13.1.1, 13.1.2, 13.1.3, 13.1.5, 13.1.6, 13.1.7, 13.1.8, 13.1.9, 13.1.10, 13.2.0, 13.2.2, 13.2.3, 13.2.4, 13.2.5, 13.2.6, 13.2.7, 13.2.8, 13.2.10, 13.3.0, 13.3.1, 13.3.2, 13.3.3, 13.3.4, 13.3.5, 13.3.6, 13.3.7, 13.3.8, 13.3.9, 13.4.0, 13.4.2, 13.4.3, 13.4.4, 13.4.5, 13.4.6, 13.4.7, 13.5.0, 13.5.1, 13.5.2, 13.5.3, 13.5.4, 13.5.5, 13.6.0, 13.6.1, 13.6.2, 13.6.3, 13.7.0, 13.7.1

CPE External links

https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

Risk: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied in in NuGet API. A remote user can pass specially crafted input to the application and perform a regular expression denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 12.8.0, 12.8.1, 12.8.2, 12.8.3, 12.8.4, 12.8.5, 12.8.6, 12.8.7, 12.8.8, 12.8.9, 12.8.10, 12.9.0, 12.9.1, 12.9.2, 12.9.3, 12.9.4, 12.9.5, 12.9.6, 12.9.7, 12.9.8, 12.9.9, 12.9.10, 12.10.0, 12.10.1, 12.10.2, 12.10.3, 12.10.4, 12.10.5, 12.10.6, 12.10.7, 12.10.8, 12.10.9, 12.10.10, 12.10.11, 12.10.12, 12.10.13, 12.10.14, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.0.4, 13.0.5, 13.0.6, 13.0.7, 13.0.8, 13.0.9, 13.0.10, 13.0.12, 13.0.13, 13.0.14, 13.1.0, 13.1.1, 13.1.2, 13.1.3, 13.1.4, 13.1.5, 13.1.6, 13.1.7, 13.1.8, 13.1.9, 13.1.10, 13.1.11, 13.2.0, 13.2.1, 13.2.2, 13.2.3, 13.2.4, 13.2.5, 13.2.6, 13.2.7, 13.2.8, 13.2.9, 13.2.10, 13.3.0, 13.3.1, 13.3.2, 13.3.3, 13.3.4, 13.3.5, 13.3.6, 13.3.7, 13.3.8, 13.3.9, 13.4.0, 13.4.1, 13.4.2, 13.4.3, 13.4.4, 13.4.5, 13.4.6, 13.4.7, 13.5.0, 13.5.1, 13.5.2, 13.5.3, 13.5.4, 13.5.5, 13.6.0, 13.6.1, 13.6.2, 13.6.3, 13.7.0, 13.7.1

GitLab Enterprise Edition: 12.8.0, 12.8.1, 12.8.2, 12.8.3, 12.8.4, 12.8.5, 12.8.6, 12.8.7, 12.8.9, 12.8.10, 12.9.0, 12.9.1, 12.9.2, 12.9.3, 12.9.4, 12.9.5, 12.9.6, 12.9.8, 12.9.10, 12.10.0, 12.10.1, 12.10.2, 12.10.4, 12.10.5, 12.10.6, 12.10.7, 12.10.8, 12.10.11, 12.10.12, 12.10.13, 12.10.14, 13.0.0, 13.0.1, 13.0.3, 13.0.4, 13.0.6, 13.0.7, 13.0.8, 13.0.9, 13.0.10, 13.0.11, 13.0.12, 13.0.13, 13.0.14, 13.1.0, 13.1.1, 13.1.2, 13.1.3, 13.1.5, 13.1.6, 13.1.7, 13.1.8, 13.1.9, 13.1.10, 13.2.0, 13.2.2, 13.2.3, 13.2.4, 13.2.5, 13.2.6, 13.2.7, 13.2.8, 13.2.10, 13.3.0, 13.3.1, 13.3.2, 13.3.3, 13.3.4, 13.3.5, 13.3.6, 13.3.7, 13.3.8, 13.3.9, 13.4.0, 13.4.2, 13.4.3, 13.4.4, 13.4.5, 13.4.6, 13.4.7, 13.5.0, 13.5.1, 13.5.2, 13.5.3, 13.5.4, 13.5.5, 13.6.0, 13.6.1, 13.6.2, 13.6.3, 13.7.0, 13.7.1

CPE External links

https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Input validation error

Risk: Medium

CVSSv3: 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-22166

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when processing HTTP requests with custom method in Prometheus. A remote attacker can pass specially crafted HTTP request to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 13.7.0, 13.7.1

GitLab Enterprise Edition: 13.7.0, 13.7.1

CPE External links

https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Input validation error

Risk: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-26414

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in regex when processing package names during package uploads. A remote user can pass specially crafted input to the application and perform a regular expression denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Gitlab Community Edition: 12.4.0, 12.4.1, 12.4.2, 12.4.3, 12.4.4, 12.4.5, 12.4.6, 12.4.7, 12.4.8, 12.5.0, 12.5.1, 12.5.2, 12.5.3, 12.5.4, 12.5.5, 12.5.6, 12.5.7, 12.5.9, 12.5.10, 12.6.0, 12.6.1, 12.6.2, 12.6.3, 12.6.4, 12.6.6, 12.6.7, 12.6.8, 12.7.0, 12.7.1, 12.7.2, 12.7.4, 12.7.5, 12.7.6, 12.7.7, 12.7.8, 12.7.9, 12.8.0, 12.8.1, 12.8.2, 12.8.3, 12.8.4, 12.8.5, 12.8.6, 12.8.7, 12.8.8, 12.8.9, 12.8.10, 12.9.0, 12.9.1, 12.9.2, 12.9.3, 12.9.4, 12.9.5, 12.9.6, 12.9.7, 12.9.8, 12.9.9, 12.9.10, 12.10.0, 12.10.1, 12.10.2, 12.10.3, 12.10.4, 12.10.5, 12.10.6, 12.10.7, 12.10.8, 12.10.9, 12.10.10, 12.10.11, 12.10.12, 12.10.13, 12.10.14, 13.3.8, 13.3.9, 13.4.5, 13.4.6, 13.4.7, 13.5.1, 13.5.2, 13.5.3, 13.5.4, 13.5.5, 13.6.0, 13.6.1, 13.6.2, 13.6.3, 13.7.0, 13.7.1

GitLab Enterprise Edition: 12.4.0, 12.4.1, 12.4.2, 12.4.3, 12.4.5, 12.4.8, 12.5.0, 12.5.1, 12.5.3, 12.5.4, 12.5.5, 12.5.8, 12.5.9, 12.6.0, 12.6.1, 12.6.2, 12.6.4, 12.6.5, 12.6.6, 12.6.7, 12.7.0, 12.7.1, 12.7.2, 12.7.3, 12.7.4, 12.7.5, 12.7.9, 12.8.0, 12.8.1, 12.8.2, 12.8.3, 12.8.4, 12.8.5, 12.8.6, 12.8.7, 12.8.9, 12.8.10, 12.9.0, 12.9.1, 12.9.2, 12.9.3, 12.9.4, 12.9.5, 12.9.6, 12.9.8, 12.9.10, 12.10.0, 12.10.1, 12.10.2, 12.10.4, 12.10.5, 12.10.6, 12.10.7, 12.10.8, 12.10.11, 12.10.12, 12.10.13, 12.10.14, 13.3.8, 13.3.9, 13.4.5, 13.4.6, 13.4.7, 13.5.1, 13.5.2, 13.5.3, 13.5.4, 13.5.5, 13.6.0, 13.6.1, 13.6.2, 13.6.3, 13.7.0, 13.7.1

CPE External links

https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.