CVE-2020-26417 - Vulnerability Details

Vendors	Products
Gitlab	Gitlab

Link	Providers
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26417.json
https://gitlab.com/gitlab-org/gitlab/-/issues/282539

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "GitLab CE/EE", "vendor": "GitLab", "versions": [{"status": "affected", "version": ">=13.6 to <13.6.2"}, {"status": "affected", "version": ">=13.5 to <13.5.5"}, {"status": "affected", "version": ">=13.1 to <13.4.7"}]}], "credits": [{"lang": "en", "value": "This vulnerability has been discovered internally by the GitLab team"}], "descriptions": [{"lang": "en", "value": "Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions >=13.6 to <13.6.2, >=13.5 to <13.5.5, and >=13.1 to <13.4.7."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Information exposure in GitLab", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-12-11T03:37:36", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/282539"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26417.json"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-26417", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "GitLab CE/EE", "version": {"version_data": [{"version_value": ">=13.6 to <13.6.2"}, {"version_value": ">=13.5 to <13.5.5"}, {"version_value": ">=13.1 to <13.4.7"}]}}]}, "vendor_name": "GitLab"}]}}, "credit": [{"lang": "eng", "value": "This vulnerability has been discovered internally by the GitLab team"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions >=13.6 to <13.6.2, >=13.5 to <13.5.5, and >=13.1 to <13.4.7."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information exposure in GitLab"}]}]}, "references": {"reference_data": [{"name": "https://gitlab.com/gitlab-org/gitlab/-/issues/282539", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/282539"}, {"name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26417.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26417.json"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:56:04.584Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/282539"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26417.json"}]}]}, "cveMetadata": {"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-26417", "datePublished": "2020-12-11T03:37:36", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2024-08-04T15:56:04.584Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : GitLab CE/EE (string)

vendor : GitLab (string)

versions : [ »

0 : { »

status : affected (string)

version : >=13.6 to <13.6.2 (string)

}

1 : { »

status : affected (string)

version : >=13.5 to <13.5.5 (string)

}

2 : { »

status : affected (string)

version : >=13.1 to <13.4.7 (string)

}

]

}

]

credits : [ »

0 : { »

lang : en (string)

value : This vulnerability has been discovered internally by the GitLab team (string)

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions >=13.6 to <13.6.2, >=13.5 to <13.5.5, and >=13.1 to <13.4.7. (string)

}

]

metrics : [ »

0 : { »

cvssV3_1 : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 5.3 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (string)

version : 3.1 (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : Information exposure in GitLab (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2020-12-11T03:37:36 (string)

orgId : ceab7361-8a18-47b1-92ba-4d7d25f6715a (string)

shortName : GitLab (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://gitlab.com/gitlab-org/gitlab/-/issues/282539 (string)

}

1 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26417.json (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : cve@gitlab.com (string)

ID : CVE-2020-26417 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : GitLab CE/EE (string)

version : { »

version_data : [ »

0 : { »

version_value : >=13.6 to <13.6.2 (string)

}

1 : { »

version_value : >=13.5 to <13.5.5 (string)

}

2 : { »

version_value : >=13.1 to <13.4.7 (string)

}

]

}

]

}

vendor_name : GitLab (string)

}

]

}

credit : [ »

0 : { »

lang : eng (string)

value : This vulnerability has been discovered internally by the GitLab team (string)

}

]

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions >=13.6 to <13.6.2, >=13.5 to <13.5.5, and >=13.1 to <13.4.7. (string)

}

]

}

impact : { »

cvss : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 5.3 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (string)

version : 3.1 (string)

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : Information exposure in GitLab (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://gitlab.com/gitlab-org/gitlab/-/issues/282539 (string)

refsource : MISC (string)

url : https://gitlab.com/gitlab-org/gitlab/-/issues/282539 (string)

}

1 : { »

name : https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26417.json (string)

refsource : CONFIRM (string)

url : https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26417.json (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-04T15:56:04.584Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://gitlab.com/gitlab-org/gitlab/-/issues/282539 (string)

}

1 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26417.json (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : ceab7361-8a18-47b1-92ba-4d7d25f6715a (string)

assignerShortName : GitLab (string)

cveId : CVE-2020-26417 (string)

datePublished : 2020-12-11T03:37:36 (string)

dateReserved : 2020-10-01T00:00:00 (string)

dateUpdated : 2024-08-04T15:56:04.584Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "2C4CD49E-C8FF-4830-B28D-E2FADE748F81", "versionEndExcluding": "13.4.7", "versionStartIncluding": "13.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "A46662D9-9CD8-4BA5-B539-D608C34BEBE7", "versionEndExcluding": "13.4.7", "versionStartIncluding": "13.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "468AFC4C-4AFE-4502-AE04-CEC567CC9454", "versionEndExcluding": "13.5.5", "versionStartIncluding": "13.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "C03EE1D3-7824-43A8-ACA2-7EE7EA9B638E", "versionEndExcluding": "13.5.5", "versionStartIncluding": "13.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "8A470CCF-C038-44D4-AB14-B9134C0E7ABC", "versionEndExcluding": "13.6.2", "versionStartIncluding": "13.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "63A5C9B5-F86B-4066-8042-865AB4DD4859", "versionEndExcluding": "13.6.2", "versionStartIncluding": "13.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions >=13.6 to <13.6.2, >=13.5 to <13.5.5, and >=13.1 to <13.4.7."}, {"lang": "es", "value": "Una divulgaci\u00f3n de informaci\u00f3n por medio de GraphQL en GitLab CE/EE versiones 13.1 y posteriores, expone la membres\u00eda a grupos privados y proyectos.&#xa0;Esto afecta a las versiones posteriores a 13.6 incluy\u00e9ndola hasta versiones anteriores a 13.6.2, versiones anteriores a 13.5 incluy\u00e9ndola hasta versiones anteriores a 13.5.5 y versiones posteriores a 13.1 incluy\u00e9ndola hasta versiones anteriores a 13.4.7"}], "id": "CVE-2020-26417", "lastModified": "2024-11-21T05:19:54.073", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cve@gitlab.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-11T04:15:11.767", "references": [{"source": "cve@gitlab.com", "tags": ["Vendor Advisory"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26417.json"}, {"source": "cve@gitlab.com", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/282539"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26417.json"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/282539"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* (string)

matchCriteriaId : 2C4CD49E-C8FF-4830-B28D-E2FADE748F81 (string)

versionEndExcluding : 13.4.7 (string)

versionStartIncluding : 13.1.0 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* (string)

matchCriteriaId : A46662D9-9CD8-4BA5-B539-D608C34BEBE7 (string)

versionEndExcluding : 13.4.7 (string)

versionStartIncluding : 13.1.0 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* (string)

matchCriteriaId : 468AFC4C-4AFE-4502-AE04-CEC567CC9454 (string)

versionEndExcluding : 13.5.5 (string)

versionStartIncluding : 13.5.0 (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* (string)

matchCriteriaId : C03EE1D3-7824-43A8-ACA2-7EE7EA9B638E (string)

versionEndExcluding : 13.5.5 (string)

versionStartIncluding : 13.5.0 (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* (string)

matchCriteriaId : 8A470CCF-C038-44D4-AB14-B9134C0E7ABC (string)

versionEndExcluding : 13.6.2 (string)

versionStartIncluding : 13.6.0 (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* (string)

matchCriteriaId : 63A5C9B5-F86B-4066-8042-865AB4DD4859 (string)

versionEndExcluding : 13.6.2 (string)

versionStartIncluding : 13.6.0 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions >=13.6 to <13.6.2, >=13.5 to <13.5.5, and >=13.1 to <13.4.7. (string)

}

1 : { »

lang : es (string)

value : Una divulgación de información por medio de GraphQL en GitLab CE/EE versiones 13.1 y posteriores, expone la membresía a grupos privados y proyectos. Esto afecta a las versiones posteriores a 13.6 incluyéndola hasta versiones anteriores a 13.6.2, versiones anteriores a 13.5 incluyéndola hasta versiones anteriores a 13.5.5 y versiones posteriores a 13.1 incluyéndola hasta versiones anteriores a 13.4.7 (string)

}

]

id : CVE-2020-26417 (string)

lastModified : 2024-11-21T05:19:54.073 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : NONE (string)

baseScore : 5 (number)

confidentialityImpact : PARTIAL (string)

integrityImpact : NONE (string)

vectorString : AV:N/AC:L/Au:N/C:P/I:N/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 10 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 5.3 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 1.4 (number)

source : cve@gitlab.com (string)

type : Secondary (string)

}

1 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 5.3 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 1.4 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2020-12-11T04:15:11.767 (string)

references : [ »

0 : { »

source : cve@gitlab.com (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26417.json (string)

}

1 : { »

source : cve@gitlab.com (string)

tags : [ »

0 : Broken Link (string)

]

url : https://gitlab.com/gitlab-org/gitlab/-/issues/282539 (string)

}

2 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26417.json (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Broken Link (string)

]

url : https://gitlab.com/gitlab-org/gitlab/-/issues/282539 (string)

}

]

sourceIdentifier : cve@gitlab.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-200 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object