CVE-2020-13353 - OpenCVE

When importing repos via URL, one time use git credentials were persisted beyond the expected time window in Gitaly 1.79.0 or above.

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Gitlab	Gitaly

Configuration 1 [-]

OR	cpe:2.3:a:gitlab:gitaly::::::::
	cpe:2.3:a:gitlab:gitaly::::::::
	cpe:2.3:a:gitlab:gitaly::::::::

References

Link	Resource
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13353.json	Vendor Advisory
https://gitlab.com/gitlab-org/gitaly/-/issues/2882	Broken Link

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitLab

Published: 2020-11-17T00:26:35

Updated: 2022-05-13T13:59:44

Reserved: 2020-05-21T00:00:00

Link: CVE-2020-13353

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-11-17T01:15:13.310

Modified: 2022-06-13T19:57:40.387

Link: CVE-2020-13353

JSON object: View

Redhat Information

No data.

CWE

CWE-613

{"containers": {"cna": {"affected": [{"product": "Gitaly", "vendor": "GitLab", "versions": [{"status": "affected", "version": ">=1.79.0, <13.3.9"}, {"status": "affected", "version": ">=13.4, <13.4.5"}, {"status": "affected", "version": ">=13.5, <13.5.2"}]}], "credits": [{"lang": "en", "value": "This vulnerability has been discovered internally by the GitLab team"}], "descriptions": [{"lang": "en", "value": "When importing repos via URL, one time use git credentials were persisted beyond the expected time window in Gitaly 1.79.0 or above."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Cleartext storage of sensitive information in Gitaly", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-05-13T13:59:44", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/gitlab-org/gitaly/-/issues/2882"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13353.json"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@gitlab.com", "ID": "CVE-2020-13353", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Gitaly", "version": {"version_data": [{"version_value": ">=1.79.0, <13.3.9"}, {"version_value": ">=13.4, <13.4.5"}, {"version_value": ">=13.5, <13.5.2"}]}}]}, "vendor_name": "GitLab"}]}}, "credit": [{"lang": "eng", "value": "This vulnerability has been discovered internally by the GitLab team"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When importing repos via URL, one time use git credentials were persisted beyond the expected time window in Gitaly 1.79.0 or above."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cleartext storage of sensitive information in Gitaly"}]}]}, "references": {"reference_data": [{"name": "https://gitlab.com/gitlab-org/gitaly/-/issues/2882", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitaly/-/issues/2882"}, {"name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13353.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13353.json"}]}}}}, "cveMetadata": {"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2020-13353", "datePublished": "2020-11-17T00:26:35", "dateReserved": "2020-05-21T00:00:00", "dateUpdated": "2022-05-13T13:59:44", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitaly:*:*:*:*:*:*:*:*", "matchCriteriaId": "14B63381-3635-4C77-A556-E6515829A265", "versionEndExcluding": "13.3.9", "versionStartIncluding": "1.79.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitaly:*:*:*:*:*:*:*:*", "matchCriteriaId": "D5E8AE21-2790-4A73-85FF-D85D1558007C", "versionEndExcluding": "13.4.5", "versionStartIncluding": "13.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitaly:*:*:*:*:*:*:*:*", "matchCriteriaId": "A8F11B88-8B47-462B-A8E4-3B706CFA8592", "versionEndExcluding": "13.5.2", "versionStartIncluding": "13.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "When importing repos via URL, one time use git credentials were persisted beyond the expected time window in Gitaly 1.79.0 or above."}, {"lang": "es", "value": "Cuando se importa repositorios por medio de URL, las credenciales git de un solo uso se manten\u00edan m\u00e1s all\u00e1 de la ventana de tiempo esperada en Gitaly 1.79.0 o superior."}], "id": "CVE-2020-13353", "lastModified": "2022-06-13T19:57:40.387", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.2, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 1.4, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2020-11-17T01:15:13.310", "references": [{"source": "cve@gitlab.com", "tags": ["Vendor Advisory"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13353.json"}, {"source": "cve@gitlab.com", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitaly/-/issues/2882"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "nvd@nist.gov", "type": "Primary"}]}