CVE-2021-39908 — Code Injection in Gitlab

CWE-94 — Code Injection5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 60.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedApr 1

Latest updateApr 3

Description

In all versions of GitLab CE/EE starting from 0.8.0 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 certain Unicode characters can be abused to commit malicious code into projects without being noticed in merge request or source code viewer UI.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDgitlab/gitlab0.8.0 — 14.2.6+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=0.8.0, <14.2.6, >=14.3, <14.3.4, >=14.4, <14.4.1+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-hm25-53gr-mc5r: In all versions of GitLab CE/EE, certain Unicode characters can be abused to commit malicious code into projects without being noticed in merge reques↗2022-04-03

▶

OSV

CVE-2021-39908: In all versions of GitLab CE/EE starting from 0↗2022-04-01

▶

📋Vendor Advisories

GitLab

CVE-2021-39908: In all versions of GitLab CE/EE starting from 0.8.0 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4↗2022-04-01

▶

Debian

CVE-2021-39908: gitlab - In all versions of GitLab CE/EE starting from 0.8.0 before 14.2.6, all versions ...↗2021

▶