CVE-2020-26414

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
15/01/2021
Last modified:
21/01/2021

Description

An issue has been discovered in GitLab affecting all versions starting from 12.4. The regex used for package names is written in a way that makes execution time have quadratic growth based on the length of the malicious input string.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* 12.4.0 (including) 13.5.6 (excluding)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* 12.4.0 (including) 13.5.6 (excluding)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* 13.6.0 (including) 13.6.4 (excluding)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* 13.6.0 (including) 13.6.4 (excluding)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* 13.7.0 (including) 13.7.2 (excluding)
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* 13.7.0 (including) 13.7.2 (excluding)