CVE-2021-39930 — Incorrect Authorization in Gitlab

CWE-863 — Incorrect Authorization5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 52.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab EE

Timeline

PublishedDec 13

Latest updateDec 14

Description

Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶NVDgitlab/gitlab12.4.0 — 14.3.6+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=12.4, <14.3.6, >=14.4, <14.4.4, >=14.5, <14.5.2+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ee

🔴Vulnerability Details

GHSA

GHSA-gfwx-7f38-2397: Missing authorization in GitLab EE versions between 12↗2021-12-14

▶

OSV

CVE-2021-39930: Missing authorization in GitLab EE versions between 12↗2021-12-13

▶

📋Vendor Advisories

GitLab

CVE-2021-39930: Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to a↗2021-12-13

▶

Debian

CVE-2021-39930: gitlab - Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14....↗2021

▶