CVE-2021-39881 — Gitlab vulnerability

5 documents5 sources

Severity

3.5LOWNVD

EPSS

0.3%

top 51.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedOct 5

Latest updateMay 24

Description

In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages5 packages

▶NVDgitlab/gitlab7.7.0 — 14.1.7+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=14.2, <14.2.5, >=14.3, <14.3.1, >=7.7, <14.1.7+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-4ff8-x6j5-88r4: In all versions of GitLab CE/EE since version 7↗2022-05-24

▶

OSV

CVE-2021-39881: In all versions of GitLab CE/EE since version 7↗2021-10-05

▶

📋Vendor Advisories

GitLab

CVE-2021-39881: In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope na↗2021-10-05

▶

Debian

CVE-2021-39881: gitlab - In all versions of GitLab CE/EE since version 7.7, the application may let a mal...↗2021

▶