CVE-2020-26416 - Vulnerability Details

Vendors	Products
Gitlab	Gitlab

Link	Providers
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json
https://gitlab.com/gitlab-org/gitlab/-/issues/244495

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "GitLab EE", "vendor": "GitLab", "versions": [{"status": "affected", "version": ">=8.4 to <13.4.7"}, {"status": "affected", "version": ">=13.5 to <13.5.5"}, {"status": "affected", "version": ">=13.6 to <13.6.2"}]}], "credits": [{"lang": "en", "value": "This vulnerability has been discovered internally by the GitLab team"}], "descriptions": [{"lang": "en", "value": "Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Information exposure in GitLab EE", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-12-11T03:34:03", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/244495"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-26416", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "GitLab EE", "version": {"version_data": [{"version_value": ">=8.4 to <13.4.7"}, {"version_value": ">=13.5 to <13.5.5"}, {"version_value": ">=13.6 to <13.6.2"}]}}]}, "vendor_name": "GitLab"}]}}, "credit": [{"lang": "eng", "value": "This vulnerability has been discovered internally by the GitLab team"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information exposure in GitLab EE"}]}]}, "references": {"reference_data": [{"name": "https://gitlab.com/gitlab-org/gitlab/-/issues/244495", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/244495"}, {"name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:56:04.341Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/244495"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json"}]}]}, "cveMetadata": {"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-26416", "datePublished": "2020-12-11T03:34:03", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2024-08-04T15:56:04.341Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : GitLab EE (string)

vendor : GitLab (string)

versions : [ »

0 : { »

status : affected (string)

version : >=8.4 to <13.4.7 (string)

}

1 : { »

status : affected (string)

version : >=13.5 to <13.5.5 (string)

}

2 : { »

status : affected (string)

version : >=13.6 to <13.6.2 (string)

}

]

}

]

credits : [ »

0 : { »

lang : en (string)

value : This vulnerability has been discovered internally by the GitLab team (string)

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2. (string)

}

]

metrics : [ »

0 : { »

cvssV3_1 : { »

attackComplexity : HIGH (string)

attackVector : LOCAL (string)

availabilityImpact : NONE (string)

baseScore : 4 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : HIGH (string)

integrityImpact : NONE (string)

privilegesRequired : HIGH (string)

scope : UNCHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N (string)

version : 3.1 (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : Information exposure in GitLab EE (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2020-12-11T03:34:03 (string)

orgId : ceab7361-8a18-47b1-92ba-4d7d25f6715a (string)

shortName : GitLab (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://gitlab.com/gitlab-org/gitlab/-/issues/244495 (string)

}

1 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : cve@gitlab.com (string)

ID : CVE-2020-26416 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : GitLab EE (string)

version : { »

version_data : [ »

0 : { »

version_value : >=8.4 to <13.4.7 (string)

}

1 : { »

version_value : >=13.5 to <13.5.5 (string)

}

2 : { »

version_value : >=13.6 to <13.6.2 (string)

}

]

}

]

}

vendor_name : GitLab (string)

}

]

}

credit : [ »

0 : { »

lang : eng (string)

value : This vulnerability has been discovered internally by the GitLab team (string)

}

]

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2. (string)

}

]

}

impact : { »

cvss : { »

attackComplexity : HIGH (string)

attackVector : LOCAL (string)

availabilityImpact : NONE (string)

baseScore : 3.9 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : HIGH (string)

integrityImpact : NONE (string)

privilegesRequired : HIGH (string)

scope : UNCHANGED (string)

userInteraction : REQUIRED (string)

vectorString : AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N (string)

version : 3.1 (string)

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : Information exposure in GitLab EE (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://gitlab.com/gitlab-org/gitlab/-/issues/244495 (string)

refsource : MISC (string)

url : https://gitlab.com/gitlab-org/gitlab/-/issues/244495 (string)

}

1 : { »

name : https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json (string)

refsource : CONFIRM (string)

url : https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-04T15:56:04.341Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://gitlab.com/gitlab-org/gitlab/-/issues/244495 (string)

}

1 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : ceab7361-8a18-47b1-92ba-4d7d25f6715a (string)

assignerShortName : GitLab (string)

cveId : CVE-2020-26416 (string)

datePublished : 2020-12-11T03:34:03 (string)

dateReserved : 2020-10-01T00:00:00 (string)

dateUpdated : 2024-08-04T15:56:04.341Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "B22CC5B9-347B-4F4C-B6EF-BEB2F1259922", "versionEndExcluding": "13.4.7", "versionStartIncluding": "8.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "C8C24A26-7966-4E25-B05D-C74BC5A3A516", "versionEndExcluding": "13.4.7", "versionStartIncluding": "8.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "468AFC4C-4AFE-4502-AE04-CEC567CC9454", "versionEndExcluding": "13.5.5", "versionStartIncluding": "13.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "C03EE1D3-7824-43A8-ACA2-7EE7EA9B638E", "versionEndExcluding": "13.5.5", "versionStartIncluding": "13.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "8A470CCF-C038-44D4-AB14-B9134C0E7ABC", "versionEndExcluding": "13.6.2", "versionStartIncluding": "13.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "63A5C9B5-F86B-4066-8042-865AB4DD4859", "versionEndExcluding": "13.6.2", "versionStartIncluding": "13.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2."}, {"lang": "es", "value": "Una divulgaci\u00f3n de informaci\u00f3n en el componente Advanced Search de GitLab EE a partir de la versi\u00f3n 8.4, resulta en la exposici\u00f3n de los t\u00e9rminos de b\u00fasqueda por medio de los registros Rails.&#xa0;Esto afecta a las versiones posteriores a 8.4 incluy\u00e9ndola hasta versiones anteriores a 13.4.7, versiones posteriores a 13.5 incluy\u00e9ndola, hasta versiones anteriores a 13.5.5 y versiones posteriores a 13.6 incluy\u00e9ndola hasta versiones anteriores a 13.6.2"}], "id": "CVE-2020-26416", "lastModified": "2024-11-21T05:19:53.887", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.3, "impactScore": 3.6, "source": "cve@gitlab.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-11T04:15:11.690", "references": [{"source": "cve@gitlab.com", "tags": ["Third Party Advisory"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json"}, {"source": "cve@gitlab.com", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/244495"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/244495"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* (string)

matchCriteriaId : B22CC5B9-347B-4F4C-B6EF-BEB2F1259922 (string)

versionEndExcluding : 13.4.7 (string)

versionStartIncluding : 8.4.0 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* (string)

matchCriteriaId : C8C24A26-7966-4E25-B05D-C74BC5A3A516 (string)

versionEndExcluding : 13.4.7 (string)

versionStartIncluding : 8.4.0 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* (string)

matchCriteriaId : 468AFC4C-4AFE-4502-AE04-CEC567CC9454 (string)

versionEndExcluding : 13.5.5 (string)

versionStartIncluding : 13.5.0 (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* (string)

matchCriteriaId : C03EE1D3-7824-43A8-ACA2-7EE7EA9B638E (string)

versionEndExcluding : 13.5.5 (string)

versionStartIncluding : 13.5.0 (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* (string)

matchCriteriaId : 8A470CCF-C038-44D4-AB14-B9134C0E7ABC (string)

versionEndExcluding : 13.6.2 (string)

versionStartIncluding : 13.6.0 (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* (string)

matchCriteriaId : 63A5C9B5-F86B-4066-8042-865AB4DD4859 (string)

versionEndExcluding : 13.6.2 (string)

versionStartIncluding : 13.6.0 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2. (string)

}

1 : { »

lang : es (string)

value : Una divulgación de información en el componente Advanced Search de GitLab EE a partir de la versión 8.4, resulta en la exposición de los términos de búsqueda por medio de los registros Rails. Esto afecta a las versiones posteriores a 8.4 incluyéndola hasta versiones anteriores a 13.4.7, versiones posteriores a 13.5 incluyéndola, hasta versiones anteriores a 13.5.5 y versiones posteriores a 13.6 incluyéndola hasta versiones anteriores a 13.6.2 (string)

}

]

id : CVE-2020-26416 (string)

lastModified : 2024-11-21T05:19:53.887 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : LOW (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : LOCAL (string)

authentication : NONE (string)

availabilityImpact : NONE (string)

baseScore : 2.1 (number)

confidentialityImpact : PARTIAL (string)

integrityImpact : NONE (string)

vectorString : AV:L/AC:L/Au:N/C:P/I:N/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : HIGH (string)

attackVector : LOCAL (string)

availabilityImpact : NONE (string)

baseScore : 4 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : HIGH (string)

integrityImpact : NONE (string)

privilegesRequired : HIGH (string)

scope : UNCHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 0.3 (number)

impactScore : 3.6 (number)

source : cve@gitlab.com (string)

type : Secondary (string)

}

1 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : LOCAL (string)

availabilityImpact : NONE (string)

baseScore : 4.4 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : HIGH (string)

integrityImpact : NONE (string)

privilegesRequired : HIGH (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 0.8 (number)

impactScore : 3.6 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2020-12-11T04:15:11.690 (string)

references : [ »

0 : { »

source : cve@gitlab.com (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json (string)

}

1 : { »

source : cve@gitlab.com (string)

tags : [ »

0 : Broken Link (string)

]

url : https://gitlab.com/gitlab-org/gitlab/-/issues/244495 (string)

}

2 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26416.json (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Broken Link (string)

]

url : https://gitlab.com/gitlab-org/gitlab/-/issues/244495 (string)

}

]

sourceIdentifier : cve@gitlab.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-532 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object