CVE-2020-1940: Information Exposure

January 28, 2020 (updated July 21, 2021)

The optional initial password change and password expiration features are prone to a sensitive information disclosure vulnerability. The code mandates the changed password to be passed as an additional attribute to the credentials object but does not remove it upon processing during the first phase of the authentication. In combination with additional, independent authentication mechanisms, this may lead to the new password being disclosed.

References

nvd.nist.gov/vuln/detail/CVE-2020-1940

Code Behaviors & Features

Detect and mitigate CVE-2020-1940 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →