CVE-2020-10975

Vulnerability

GitLab EE/CE versions 10.8 through 12.9 contain an information disclosure vulnerability in the vulnerability feedback page. The page exposes metadata and comments associated with vulnerabilities to users who should not have access, violating access control restrictions [1][2].

Exploitation

An attacker needs only network access to a vulnerable GitLab instance and can simply browse to the vulnerability feedback page. No special privileges or authentication are required beyond a valid user account on the instance; the page fails to check authorization before returning sensitive data [2].

Impact

Successful exploitation allows an unauthorized user to view metadata and comments on vulnerabilities, leading to information disclosure. This can reveal internal security discussions, vulnerability details, and potentially sensitive project information that the attacker should not have access to [1][2].

Mitigation

The vulnerability is fixed in GitLab 12.9.1, released on March 26, 2020 [2]. Users should upgrade to 12.9.1 or later. As no workarounds are available, upgrading is the recommended action. Versions 10.8 to 12.9 are affected and should be patched promptly [1][2].