Описание
BBOT's gitlab.py exposes globally configured "gitlab" API key
Summary
bbot's gitlab.py sends the user's "gitlab" API key to on-premise GitLab instances.
If a user has configured a gitlab.com API key using this mechanism, it may be leaked to an attacker-controlled server.
Impact
A user with a "gitlab" API key configured who uses bbot to scan a malicious webserver may leak their gitlab.com API key to an untrustworthy server.
Пакеты
Наименование
bbot
pip
Затронутые версииВерсия исправления
< 2.7.0
2.7.2
Наименование
bbot
pip
Затронутые версииВерсия исправления
>= 2.7.0.6919rc0, < 2.7.2
2.7.2
Связанные уязвимости
CVSS3: 4.7
nvd
4 месяца назад
BBOT's gitlab module could be abused to disclose a GitLab API key to an attacker controlled server with a malicious formatted git URL.