CVE-2020-7966 – CVE-2020-7966 is a directory traversal vulnerab... (How to Fix)

Q: What is the severity of CVE-2020-7966?

CVE-2020-7966 has a CVSS score of 7.5 (HIGH). CVE-2020-7966 is a directory traversal vulnerability in GitLab Enterprise Edition that allows attackers to read arbitrary files on the server. This affects GitLab EE versions 11.11 through 12.7.2. Organizations running vulnerable GitLab instances are at risk of sensitive data exposure.

📋 TL;DR

CVE-2020-7966 is a directory traversal vulnerability in GitLab Enterprise Edition that allows attackers to read arbitrary files on the server. This affects GitLab EE versions 11.11 through 12.7.2. Organizations running vulnerable GitLab instances are at risk of sensitive data exposure.

💻 Affected Systems

Products:

GitLab Enterprise Edition

Versions: 11.11 through 12.7.2

Operating Systems: All platforms running GitLab

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects GitLab Enterprise Edition (EE). GitLab Community Edition (CE) is not affected. All deployment methods (Omnibus, Docker, source) are vulnerable.

📦 What is this software?

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive configuration files, source code, credentials, or other confidential data stored on the GitLab server, potentially leading to complete system compromise.

🟠

Likely Case

Unauthorized access to sensitive files containing API keys, database credentials, or proprietary source code, enabling further attacks or intellectual property theft.

🟢

If Mitigated

Limited impact with proper network segmentation, file system permissions, and monitoring in place to detect and block traversal attempts.

🌐 Internet-Facing: HIGH - Internet-facing GitLab instances are directly accessible to attackers without requiring internal network access.

🏢 Internal Only: MEDIUM - Internal instances still vulnerable to insider threats or attackers who have gained internal network access through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication as a GitLab user. Directory traversal techniques are well-understood and easy to implement once the vulnerability is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: GitLab EE 12.7.4 and later

Vendor Advisory: https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/

Restart Required: Yes

Instructions:

1. Backup your GitLab instance. 2. Update to GitLab EE 12.7.4 or later using your package manager. 3. For Omnibus: 'sudo apt-get update && sudo apt-get install gitlab-ee'. 4. Run 'sudo gitlab-ctl reconfigure'. 5. Verify the update with 'sudo gitlab-rake gitlab:env:info'.

🔧 Temporary Workarounds

Access Restriction

linux

Restrict GitLab access to trusted networks only using firewall rules

iptables -A INPUT -p tcp --dport 80,443 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 80,443 -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit GitLab access to authorized users only
Enable detailed logging and monitoring for file access patterns and implement file integrity monitoring

🔍 How to Verify

Check if Vulnerable:

Check GitLab version: 'sudo gitlab-rake gitlab:env:info | grep Version'. If version is between 11.11 and 12.7.2 inclusive, you are vulnerable.

Check Version:

sudo gitlab-rake gitlab:env:info | grep Version

Verify Fix Applied:

Confirm version is 12.7.4 or later: 'sudo gitlab-rake gitlab:env:info | grep Version'

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in GitLab logs
Multiple failed attempts to access files outside expected directories
Requests with '../' sequences in URLs

Network Indicators:

HTTP requests containing directory traversal sequences like '../' or '..\'
Unusual file downloads from GitLab server

SIEM Query:

source="gitlab.log" AND ("..\" OR "../" OR "%2e%2e%2f" OR "%2e%2e%5c")

📊 Metadata

CVE ID: CVE-2020-7966

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: February 5, 2020

Last Updated: November 21, 2024

🔗 References

https://about.gitlab.com/blog/categories/releases/ Release Notes,Vendor Advisory
https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ Release Notes,Vendor Advisory
https://about.gitlab.com/blog/categories/releases/ Release Notes,Vendor Advisory
https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/ Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-7966, you might also want to check these: