CVE-2020-13359

High

7.6/10

Summary

The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. Affected versions are >=12.10, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: CHANGED
User Interaction: NONE
Privileges Required: HIGH
Confidentiality Impact: LOW
Availability Impact: NONE

References

Advisory Timeline

Published Nov 19, 2020

CVE-2020-13359

Summary

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS