CVE-2020-13359

Summary

The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. Affected versions are >=12.10, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.

Affected Software

VendorProductVersion RangeStatus
GitLabGitLab CE/EE>=12.10affected
GitLabGitLab CE/EE<13.3.9affected
GitLabGitLab CE/EE>=13.4affected
GitLabGitLab CE/EE<13.4.5affected
GitLabGitLab CE/EE>=13.5affected
GitLabGitLab CE/EE<13.5.2affected

Weaknesses

  • Information exposure in GitLab

ADP Enrichment

CVE Program Container

Additional References

References