CVE-2021-39919 — Weak Password Recovery Mechanism for Forgotten Password in Gitlab

CWE-640 — Weak Password Recovery Mechanism for Forgotten Password5 documents5 sources

Severity

4.4MEDIUMNVD

EPSS

0.1%

top 79.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedDec 13

Latest updateDec 14

Description

In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 0.8 | Impact: 3.6

Affected Packages5 packages

▶NVDgitlab/gitlab14.0.0 — 14.3.6+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=14.0, <14.3.6, >=14.4, <14.4.4, >=14.5, <14.5.2+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-xh8q-q4r3-6x29: In all versions of GitLab CE/EE starting version 14↗2021-12-14

▶

OSV

CVE-2021-39919: In all versions of GitLab CE/EE starting version 14↗2021-12-13

▶

📋Vendor Advisories

GitLab

CVE-2021-39919: In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 be↗2021-12-13

▶

Debian

CVE-2021-39919: gitlab - In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all version...↗2021

▶