CVE-2021-39930
published 2021-12-13CVE-2021-39930: Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a…
PriorityP421medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.81%
52.3th percentile
Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 12.4.0 < 14.3.6 | 14.3.6 |
| gitlab | gitlab | >= 14.4.0 < 14.4.4 | 14.4.4 |
| gitlab | gitlab | >= 14.5.0 < 14.5.2 | 14.5.2 |
| gitlab | gitlab_ee | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GitLab
CVE-2021-39930: Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to a
vendor_gitlab·2021-12-13·CVSS 4.3
CVE-2021-39930 [MEDIUM] CWE-863 CVE-2021-39930: Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to a
CVE-2021-39930: Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates
Debian
CVE-2021-39930: gitlab - Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14....
vendor_debian·2021·CVSS 4.3
CVE-2021-39930 [MEDIUM] CVE-2021-39930: gitlab - Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14....
Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
GHSA
GHSA-gfwx-7f38-2397: Missing authorization in GitLab EE versions between 12
ghsa_unreviewed·2021-12-14
CVE-2021-39930 [MEDIUM] CWE-863 GHSA-gfwx-7f38-2397: Missing authorization in GitLab EE versions between 12
Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates
OSV
CVE-2021-39930: Missing authorization in GitLab EE versions between 12
osv·2021-12-13·CVSS 4.3
CVE-2021-39930 [MEDIUM] CVE-2021-39930: Missing authorization in GitLab EE versions between 12
Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39930.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/26103https://hackerone.com/reports/475240https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39930.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/26103https://hackerone.com/reports/475240
2021-12-13
Published