CVE-2021-20306: Incorrect Authorization

June 1, 2021 (updated August 5, 2022)

A flaw was found in the BPMN editor. Any authenticated user from any project can see the name of Ruleflow Groups from other projects, despite the user not having access to those projects. The highest threat from this vulnerability is to confidentiality.

References

bugzilla.redhat.com/show_bug.cgi?id=1946213
nvd.nist.gov/vuln/detail/CVE-2021-20306

Detect and mitigate CVE-2021-20306 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →