CVE-2020-26405

Summary

Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are >=12.8, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.

Affected Software

VendorProductVersion RangeStatus
GitLabGitLab CE/EE>=12.8affected
GitLabGitLab CE/EE<13.3.9affected
GitLabGitLab CE/EE>=13.4affected
GitLabGitLab CE/EE<13.4.5affected
GitLabGitLab CE/EE>=13.5affected
GitLabGitLab CE/EE<13.5.2affected

Weaknesses

  • Improper limitation of a pathname to a restricted directory ('path traversal') in GitLab

ADP Enrichment

CVE Program Container

Additional References

References