CVE-2020-13349 - OpenCVE

An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are >=8.12, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Gitlab	Gitlab

Configuration 1 [-]

OR	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

References

Link	Resource
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13349.json	Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/257497	Broken Link

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitLab

Published: 2020-11-17T18:22:32

Updated: 2020-11-17T18:22:32

Reserved: 2020-05-21T00:00:00

Link: CVE-2020-13349

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-11-17T19:15:11.200

Modified: 2021-07-21T11:39:23.747

Link: CVE-2020-13349

JSON object: View

Redhat Information

No data.

CWE

CWE-400

{"containers": {"cna": {"affected": [{"product": "GitLab EE", "vendor": "GitLab", "versions": [{"status": "affected", "version": ">=8.12"}, {"status": "affected", "version": "<13.3.9"}, {"status": "affected", "version": ">=13.4"}, {"status": "affected", "version": "<13.4.5"}, {"status": "affected", "version": ">=13.5"}, {"status": "affected", "version": "<13.5.2"}]}], "credits": [{"lang": "en", "value": "This vulnerability has been discovered internally by the GitLab team"}], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are >=8.12, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Uncontrolled resource consumption in GitLab", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-11-17T18:22:32", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/257497"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13349.json"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-13349", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "GitLab EE", "version": {"version_data": [{"version_value": ">=8.12"}, {"version_value": "<13.3.9"}, {"version_value": ">=13.4"}, {"version_value": "<13.4.5"}, {"version_value": ">=13.5"}, {"version_value": "<13.5.2"}]}}]}, "vendor_name": "GitLab"}]}}, "credit": [{"lang": "eng", "value": "This vulnerability has been discovered internally by the GitLab team"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are >=8.12, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Uncontrolled resource consumption in GitLab"}]}]}, "references": {"reference_data": [{"name": "https://gitlab.com/gitlab-org/gitlab/-/issues/257497", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/257497"}, {"name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13349.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13349.json"}]}}}}, "cveMetadata": {"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-13349", "datePublished": "2020-11-17T18:22:32", "dateReserved": "2020-05-21T00:00:00", "dateUpdated": "2020-11-17T18:22:32", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "72502307-0B19-406D-9D9C-0E9D919591BA", "versionEndExcluding": "13.3.9", "versionStartIncluding": "8.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "E04A3096-9883-4120-ADE4-8CEBE811E242", "versionEndExcluding": "13.4.5", "versionStartIncluding": "13.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "59FA227C-599B-4636-8FD9-71A60D0C8ABC", "versionEndExcluding": "13.5.2", "versionStartIncluding": "13.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are >=8.12, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2."}, {"lang": "es", "value": "Ha sido detectado un problema en GitLab EE que afecta a todas las versiones desde 8.12. Una expresi\u00f3n regular relacionada con una ruta de archivo result\u00f3 en la funcionalidad Advanced Search susceptible a un retroceso catastr\u00f3fico. Las versiones afectadas son las versiones posteriores a 8.12 e incluy\u00e9ndola, versiones anteriores a 13.3.9, versiones posteriores a 13.4 e incluy\u00e9ndola, versiones anteriores a 13.4.5, versiones posteriores a 13.5 e incluy\u00e9ndola, versiones anteriores a 13.5.2"}], "id": "CVE-2020-13349", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2020-11-17T19:15:11.200", "references": [{"source": "cve@gitlab.com", "tags": ["Vendor Advisory"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13349.json"}, {"source": "cve@gitlab.com", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/257497"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}