Information disclosure in GitLab Enterprise Edition - CVE-2020-26416

 

Information disclosure in GitLab Enterprise Edition - CVE-2020-26416

Published: December 10, 2020 / Updated: December 14, 2020


Vulnerability identifier: #VU48973
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-26416
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: GitLab, Inc
Affected software:
GitLab Enterprise Edition

Detailed vulnerability description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output in Advanced Search component of GitLab EE via the search terms of Rails logs. A remote privileged user obtain sensitive information.


How to mitigate CVE-2020-26416

Install updates from vendor's website.

Sources