CVE-2021-22261
published 2021-10-05CVE-2021-22261: A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1…
PriorityP421medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.95%
56.9th percentile
A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 13.9.0 < 14.0.9 | 14.0.9 |
| gitlab | gitlab | >= 14.1.0 < 14.1.4 | 14.1.4 |
| gitlab | gitlab | >= 14.2.0 < 14.2.2 | 14.2.2 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
osv4.8MEDIUM
vendor_debian7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GitLab
CVE-2021-22261: A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting fro
vendor_gitlab·2021-10-05·CVSS 7.3
CVE-2021-22261 [HIGH] CWE-79 CVE-2021-22261: A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting fro
CVE-2021-22261: A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses
Debian
CVE-2021-22261: gitlab - A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLa...
vendor_debian·2021·CVSS 7.3
CVE-2021-22261 [HIGH] CVE-2021-22261: gitlab - A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLa...
A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
GHSA
GHSA-2vqg-gr4m-v458: A stored Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13
ghsa_unreviewed·2022-05-24
CVE-2021-22261 [MEDIUM] CWE-79 GHSA-2vqg-gr4m-v458: A stored Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13
A stored Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.7 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses
OSV
CVE-2021-22261: A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13
osv·2021-10-05·CVSS 4.8
CVE-2021-22261 [MEDIUM] CVE-2021-22261: A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13
A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22261.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/328389https://hackerone.com/reports/1132083https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22261.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/328389https://hackerone.com/reports/1132083
2021-10-05
Published