CVE-2021-39872
published 2021-10-05CVE-2021-39872: In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through…
PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.96%
57.1th percentile
In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 14.1.0 < 14.1.7 | 14.1.7 |
| gitlab | gitlab | >= 14.2.0 < 14.2.5 | 14.2.5 |
| gitlab | gitlab_ce | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GitLab
CVE-2021-39872: In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab
vendor_gitlab·2021-10-05·CVSS 6.5
CVE-2021-39872 [MEDIUM] CWE-287 CVE-2021-39872: In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab
CVE-2021-39872: In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration.
Debian
CVE-2021-39872: gitlab - In all versions of GitLab CE/EE since version 14.1, an improper access control v...
vendor_debian·2021·CVSS 6.5
CVE-2021-39872 [MEDIUM] CVE-2021-39872: gitlab - In all versions of GitLab CE/EE since version 14.1, an improper access control v...
In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
GHSA
GHSA-v95j-qhvj-8v9x: In all versions of GitLab CE/EE since version 14
ghsa_unreviewed·2022-05-24
CVE-2021-39872 [MEDIUM] CWE-287 GHSA-v95j-qhvj-8v9x: In all versions of GitLab CE/EE since version 14
In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration.
OSV
CVE-2021-39872: In all versions of GitLab CE/EE since version 14
osv·2021-10-05·CVSS 6.5
CVE-2021-39872 [MEDIUM] CVE-2021-39872: In all versions of GitLab CE/EE since version 14
In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39872.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/337954https://hackerone.com/reports/1285226https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39872.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/337954https://hackerone.com/reports/1285226
2021-10-05
Published