Main Vulnerability Database Vulnerabilities #VU29554

#VU29554 Information disclosure in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2020-15525

Published: July 7, 2020 / Updated: July 15, 2020

Vulnerability identifier: #VU29554

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2020-15525

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Gitlab Community Edition
GitLab Enterprise Edition

Software vendor:
GitLab, Inc

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The Maven package upload endpoint could be used to override restrictions and result in the GitLab Workhorse disclosing the existence and contents of files in the /tmp directory. A remote attacker can gain unauthorized access to sensitive information on the system.

Remediation

Install updates from vendor's website.

External links

https://about.gitlab.com/releases/2020/07/06/critical-security-release-gitlab-13-1-3-released/