CVE-2020-13266 - OpenCVE

Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gitlab	Gitlab

Configuration 1 [-]

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

No data.

References

Link	Providers
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13266.json
https://gitlab.com/gitlab-org/gitlab/-/issues/208449

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitLab

Published: 2020-06-09T15:34:39

Updated: 2024-08-04T12:11:19.473Z

Reserved: 2020-05-21T00:00:00

Link: CVE-2020-13266

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-06-09T16:15:10.520

Modified: 2020-06-15T18:04:25.627

Link: CVE-2020-13266

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "GitLab", "vendor": "GitLab", "versions": [{"status": "affected", "version": ">=12.8, <12.9.8"}, {"status": "affected", "version": ">=12.10, <12.10.7"}, {"status": "affected", "version": ">=13.0, <13.0.1"}]}], "credits": [{"lang": "en", "value": "This vulnerability has been discovered internally by the GitLab Security Team"}], "descriptions": [{"lang": "en", "value": "Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Missing authorization in GitLab", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-06-09T15:34:39", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/208449"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13266.json"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-13266", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "GitLab", "version": {"version_data": [{"version_value": ">=12.8, <12.9.8"}, {"version_value": ">=12.10, <12.10.7"}, {"version_value": ">=13.0, <13.0.1"}]}}]}, "vendor_name": "GitLab"}]}}, "credit": [{"lang": "eng", "value": "This vulnerability has been discovered internally by the GitLab Security Team"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions"}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Missing authorization in GitLab"}]}]}, "references": {"reference_data": [{"name": "https://gitlab.com/gitlab-org/gitlab/-/issues/208449", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/208449"}, {"name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13266.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13266.json"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:11:19.473Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/208449"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13266.json"}]}]}, "cveMetadata": {"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-13266", "datePublished": "2020-06-09T15:34:39", "dateReserved": "2020-05-21T00:00:00", "dateUpdated": "2024-08-04T12:11:19.473Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "EB1FF226-31C2-4FDA-BABD-CA1F3CB077A0", "versionEndIncluding": "13.0.1", "versionStartIncluding": "12.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "1CC5A66C-5C37-4B41-9CD7-1B624D35BCE3", "versionEndIncluding": "13.0.1", "versionStartIncluding": "12.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Insecure authorization in Project Deploy Keys in GitLab CE/EE 12.8 and later through 13.0.1 allows users to update permissions of other users' deploy keys under certain conditions"}, {"lang": "es", "value": "Una autorizaci\u00f3n no segura en Project Deploy Keys en GitLab CE/EE versiones 12.8 y posteriores hasta 13.0.1, permite a usuarios actualizar los permisos de las claves de despliegue de otros usuarios bajo determinadas condiciones"}], "id": "CVE-2020-13266", "lastModified": "2020-06-15T18:04:25.627", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2020-06-09T16:15:10.520", "references": [{"source": "cve@gitlab.com", "tags": ["Third Party Advisory"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13266.json"}, {"source": "cve@gitlab.com", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/208449"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}