Vulnerability Details : CVE-2020-13319
An issue has been discovered in GitLab affecting versions prior to 13.1.2, 13.0.8 and 12.10.13. Missing permission check for adding time spent on an issue.
Exploit prediction scoring system (EPSS) score for CVE-2020-13319
Probability of exploitation activity in the next 30 days: 0.08%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 33 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2020-13319
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:P/A:N |
8.0
|
2.9
|
NIST |
|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
2.8
|
1.4
|
GitLab Inc. |
|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
2.8
|
1.4
|
NIST |
CWE ids for CVE-2020-13319
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-13319
-
https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13319.json
2020/CVE-2020-13319.json · master · GitLab.org / cves · GitLabVendor Advisory
-
https://gitlab.com/gitlab-org/gitlab/-/issues/201806
Non members can add spent time and reset spent time from issues created by themselves- API (#201806) · Issues · GitLab.org / GitLab · GitLabExploit;Vendor Advisory
-
https://hackerone.com/reports/755188
Sign inPermissions Required
Products affected by CVE-2020-13319
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*