Base Score

CRITICAL9.6

CVE-2020-13292

In GitLab before 13.0.12, 13.1.6 and 13.2.3, it is possible to bypass E-mail verification which is required for OAuth Flow.

VectorNETWORK

Published Bycve@gitlab.com

Published DateAug 10, 2020, 14:15

Weakness Type (CWE):CWE-287

CVSS Metrics

Base Score

9.6

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Base Severity

CRITICAL

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE

References

https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13292.json
https://gitlab.com/gitlab-org/gitlab/-/issues/228629
https://hackerone.com/reports/922456

Base Score

CRITICAL9.6

Weakness Type (CWE):CWE-287

CVSS Metrics

Base Score

9.6

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Base Severity

CRITICAL

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE