CVE-2020-13272

Severity CVSS v4.0:
Pending analysis
Type:
CWE-345 Insufficient Verification of Data Authenticity
Publication date:
19/06/2020
Last modified:
21/07/2021

Description

OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* 12.3.0 (including) 12.9.8 (excluding)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* 12.3.0 (including) 12.9.8 (excluding)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* 12.10.0 (including) 12.10.7 (excluding)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* 12.10.0 (including) 12.10.7 (excluding)
cpe:2.3:a:gitlab:gitlab:13.0.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:13.0.0:*:*:*:enterprise:*:*:*