A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session.
CVSS Score
8.1
EPSS Score
0.002
Published
2020-09-14
GitLab CE/EE version 13.3 prior to 13.3.4 was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow.
CVSS Score
8.0
EPSS Score
0.002
Published
2020-09-14
Page 47