CVE-2021-39937Improper Privilege Management in Gitlab

CWE-269Improper Privilege Management5 documents5 sources
Severity
8.8HIGHNVD
EPSS
0.2%
top 64.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
GitlabDebian GitlabGitlab CE
Timeline
PublishedDec 13
Latest updateDec 14

Description

A collision in access memoization logic in all versions of GitLab CE/EE before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, leads to potential elevated privileges in groups and projects under rare circumstances

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

NVDgitlab/gitlab14.4.014.4.4+2
debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)
CVEListV5gitlab/gitlab>=0.0, <14.3.6, >=14.4, <14.4.4, >=14.5, <14.5.2+2
gitlabgitlab/gitlab

🔴Vulnerability Details

2
GHSA
GHSA-r45q-p6m3-6gmv: A collision in access memoization logic in all versions of GitLab CE/EE before 142021-12-14
OSV
CVE-2021-39937: A collision in access memoization logic in all versions of GitLab CE/EE before 142021-12-13

📋Vendor Advisories

2
GitLab
CVE-2021-39937: A collision in access memoization logic in all versions of GitLab CE/EE before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions sta2021-12-13
Debian
CVE-2021-39937: gitlab - A collision in access memoization logic in all versions of GitLab CE/EE before 1...2021