A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session.
According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.”
Name | Vendor | Start Version | End Version |
---|---|---|---|
Gitlab | Gitlab | 13.1.0 | * |
Gitlab | Gitlab | 13.1.0 | * |
Gitlab | Gitlab | 13.2.0 | * |
Gitlab | Gitlab | 13.2.0 | * |
Gitlab | Gitlab | 13.3.0 | * |
Gitlab | Gitlab | 13.3.0 | * |