CVE-2021-39886 — Incorrect Default Permissions in Gitlab

CWE-276 — Incorrect Default Permissions5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 66.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedOct 5

Latest updateMay 24

Description

Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing users to read confidential Epic references.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDgitlab/gitlab10.6.0 — 14.1.7+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=10.6, <14.1.7, >=14.2, <14.2.5, >=14.3, <14.3.1+2

▶gitlabgitlab/gitlab

🔴Vulnerability Details

GHSA

GHSA-cxfj-qcv7-fx7w: Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10↗2022-05-24

▶

OSV

CVE-2021-39886: Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10↗2021-10-05

▶

📋Vendor Advisories

GitLab

CVE-2021-39886: Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 a↗2021-10-05

▶

Debian

CVE-2021-39886: gitlab - Permissions rules were not applied while issues were moved between projects of t...↗2021

▶