CVE-2021-39880 — Gitlab vulnerability

6 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 40.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Debian Ruby-apollo-upload-server +1 more

Timeline

PublishedOct 5

Latest updateMay 24

Description

A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE all versions starting from 11.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to deny access to all users via specially crafted requests to the apollo_upload_server middleware.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

▶NVDgitlab/gitlab11.9.0 — 14.0.9+4

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶debiandebian/ruby-apollo-upload-server< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=11.9, <14.0.9, >=14.1, <14.1.4, >=14.2, <14.2.2+2

▶gitlabgitlab/gitlab

🔴Vulnerability Details

OSV

apollo_upload_server has Denial of Service vulnerability↗2022-05-24

▶

GHSA

apollo_upload_server has Denial of Service vulnerability↗2022-05-24

▶

OSV

CVE-2021-39880: A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE all versions starting from 11↗2021-10-05

▶

📋Vendor Advisories

GitLab

CVE-2021-39880: A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE all versions starting from 11.9 before 14.0.9, all versions sta↗2021-10-05

▶

Debian

CVE-2021-39880: gitlab - A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab...↗2021

▶