CVE-2021-39872 — Improper Authentication in Gitlab

CWE-287 — Improper Authentication5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 55.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedOct 5

Latest updateMay 24

Description

In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶NVDgitlab/gitlab14.1.0 — 14.1.7+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=14.1, <14.1.7, >=14.2, <14.2.5, >=14.3, <14.3.1+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-v95j-qhvj-8v9x: In all versions of GitLab CE/EE since version 14↗2022-05-24

▶

OSV

CVE-2021-39872: In all versions of GitLab CE/EE since version 14↗2021-10-05

▶

📋Vendor Advisories

GitLab

CVE-2021-39872: In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab↗2021-10-05

▶

Debian

CVE-2021-39872: gitlab - In all versions of GitLab CE/EE since version 14.1, an improper access control v...↗2021

▶