13.3.2

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

gitlab

CWE-863

critical

NVD

Published: 2020-09-14

Updated: 2023-02-03

Summary

GitLab CE/EE version 13.3 prior to 13.3.4 was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow.

Vulnerable Configurations

Part	Description	Count
Application	Gitlab Gitlab Gitlab 13.3.0 Gitlab Gitlab 13.3.1 Gitlab Gitlab 13.3.2	6

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

References

https://gitlab.com/gitlab-org/gitlab/-/issues/219931
https://hackerone.com/reports/884766
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13300.json