CVE-2020-9708: Path Traversal

August 14, 2020 (updated August 21, 2020)

The resolveRepositoryPath function does not properly validate user input and a malicious user may traverse to any valid Git repository outside the repoRoot. This issue may lead to unauthorized access of private Git repositories as long as the malicious user knows or brute-forces the location of the repository.

References

nvd.nist.gov/vuln/detail/CVE-2020-9708

Detect and mitigate CVE-2020-9708 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →