CVE-2020-10955

MEDIUM

GitLab EE/CE <12.9 - Info Disclosure

Title source: llm

Description

GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders.

References (3)

Core 3

Core References

Release Notes, Vendor Advisory x_refsource_misc

https://about.gitlab.com/releases/categories/releases/

Release Notes, Vendor Advisory x_refsource_confirm

https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2020/dsa-4691

Scores

CVSS v3 6.5

EPSS 0.0018

EPSS Percentile 39.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-862

Status published

Products (2)

debian/debian_linux 10.0

gitlab/gitlab 11.1.0 - 12.9.1 (2 CPE variants)

Published Mar 27, 2020

Tracked Since Feb 18, 2026