CVE-2020-8113: 
GitLab vulnerability analysis and mitigation

GitLab versions 10.7 through 12.7.2 contained an Incorrect Access Control vulnerability identified as CVE-2020-8113. The vulnerability specifically involved the Docker registry being improperly accessible through deploy tokens with read_repository scope, even when they didn't have the required read_registry permissions (GitLab Release).

The vulnerability allowed deploy tokens with only read_repository scope to access the Docker registry, despite not having the explicit read_registry scope that should have been required. This represented an access control bypass that could be exploited by logging into the Docker registry using deploy token credentials that should not have had sufficient permissions (GitLab Issue).

The vulnerability could allow unauthorized users to gain access to private Docker registry contents. Additionally, there was no audit trail of this unauthorized access, meaning organizations would have no way to detect when their Docker registry was accessed using tokens that should not have had sufficient privileges (GitLab Issue).

The vulnerability was patched in GitLab versions 12.8.2, 12.7.7, and 12.6.8. Organizations running affected versions were strongly recommended to upgrade to the latest version as soon as possible to remediate this security issue (GitLab Release).

The vulnerability was responsibly reported by security researcher @xanbanx and was addressed by GitLab in a security release that included fixes for multiple vulnerabilities (GitLab Release).