CVE-2021-39945Incorrect Authorization in Gitlab

CWE-863Incorrect Authorization6 documents5 sources
Severity
2.7LOWNVD
OSV9.1
EPSS
0.2%
top 52.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
GitlabDebian GitlabGitlab CE
Timeline
PublishedDec 13
Latest updateAug 24

Description

Improper access control in the GitLab CE/EE API affecting all versions starting from 9.4 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an author of a Merge Request to approve the Merge Request even after having their project access revoked

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages5 packages

NVDgitlab/gitlab9.4.014.3.6+2
debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)
CVEListV5gitlab/gitlab>=14.4, <14.4.4, >=14.5, <14.5.2, >=9.4, <14.3.6+2
gitlabgitlab/gitlab

🔴Vulnerability Details

3
OSV
fastdds vulnerabilities2023-08-24
GHSA
GHSA-3cm3-9ccj-7mvq: Improper access control in the GitLab CE/EE API affecting all versions starting from 92021-12-14
OSV
CVE-2021-39945: Improper access control in the GitLab CE/EE API affecting all versions starting from 92021-12-13

📋Vendor Advisories

2
GitLab
CVE-2021-39945: Improper access control in the GitLab CE/EE API affecting all versions starting from 9.4 before 14.3.6, all versions starting from 14.4 before 14.4.4,2021-12-13
Debian
CVE-2021-39945: gitlab - Improper access control in the GitLab CE/EE API affecting all versions starting ...2021