CVE-2021-22236 — Incorrect Authorization in Gitlab

CWE-863 — Incorrect Authorization5 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 54.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedAug 25

Latest updateMay 24

Description

Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. This vulnerability is present in GitLab CE/EE since version 14.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶NVDgitlab/gitlab14.1.0 — 14.1.2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=14.1, <14.1.2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-h963-mpc3-j9g4: Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application↗2022-05-24

▶

OSV

CVE-2021-22236: Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application↗2021-08-25

▶

📋Vendor Advisories

GitLab

CVE-2021-22236: Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. This vulnerability is↗2021-08-25

▶

Debian

CVE-2021-22236: gitlab - Due to improper handling of OAuth client IDs, new subscriptions generated OAuth ...↗2021

▶