CVE-2021-39943
published 2022-02-09CVE-2021-39943: An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from…
PriorityP421medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.87%
54.3th percentile
An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 14.1.0 < 14.3.6 | 14.3.6 |
| gitlab | gitlab | >= 14.4.0 < 14.4.4 | 14.4.4 |
| gitlab | gitlab | >= 14.5.0 < 14.5.2 | 14.5.2 |
| gitlab | gitlab_ee | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
gitlab: An authorization logic error in the External Status Check API in GitLab EE
vendor_redhat·2022-02-10·CVSS 4.3
CVE-2021-39943 [MEDIUM] CWE-639 gitlab: An authorization logic error in the External Status Check API in GitLab EE
gitlab: An authorization logic error in the External Status Check API in GitLab EE
An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call
Statement: The GitLab package used in OpenShift is a GitLab API NodeJS library which is not affected by CVE-2021-39943.
Package: openshift4/ose-console (Red Hat OpenShift Container Platform 4) - Not affected
GitLab
CVE-2021-39943: An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions start
vendor_gitlab·2022-02-09·CVSS 4.3
CVE-2021-39943 [MEDIUM] CWE-863 CVE-2021-39943: An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions start
CVE-2021-39943: An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call
Debian
CVE-2021-39943: gitlab - An authorization logic error in the External Status Check API in GitLab EE affec...
vendor_debian·2021·CVSS 4.3
CVE-2021-39943 [MEDIUM] CVE-2021-39943: gitlab - An authorization logic error in the External Status Check API in GitLab EE affec...
An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
GHSA
GHSA-2hjx-qmr7-gg4r: An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14
ghsa_unreviewed·2022-02-11
CVE-2021-39943 [MEDIUM] CWE-863 GHSA-2hjx-qmr7-gg4r: An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14
An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39943.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/343604https://hackerone.com/reports/1375393https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39943.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/343604https://hackerone.com/reports/1375393
2022-02-09
Published