CVE-2021-39872

EPSS 0.22%
Veröffentlicht 05.10.2021 13:15:08
Zuletzt bearbeitet 21.11.2024 06:20:26
Quelle cve@gitlab.com
CVE-Watchlists
Login
Unerledigt
Login

In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gitlab ≫ Gitlab SwEditioncommunity Version >= 14.1.0 < 14.1.7

Gitlab ≫ Gitlab SwEditionenterprise Version >= 14.1.0 < 14.1.7

Gitlab ≫ Gitlab SwEditioncommunity Version >= 14.2.0 < 14.2.5

Gitlab ≫ Gitlab SwEditionenterprise Version >= 14.2.0 < 14.2.5

Gitlab ≫ Gitlab Version4.3.0 SwEditioncommunity

Gitlab ≫ Gitlab Version4.3.0 SwEditionenterprise

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.22%	0.441

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N
cve@gitlab.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39872.json

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/337954

Broken Link

https://hackerone.com/reports/1285226

Third Party Advisory

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2021-39872

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-39872

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-39872

EUVD