CVE-2021-39895

EPSS 0.28%
Veröffentlicht 05.11.2021 00:15:10
Zuletzt bearbeitet 21.11.2024 06:20:29
Quelle cve@gitlab.com
CVE-Watchlists
Login
Unerledigt
Login

In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 0 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gitlab ≫ Gitlab SwEditioncommunity Version >= 8.0.0 < 14.1.7

Gitlab ≫ Gitlab SwEditionenterprise Version >= 8.0.0 < 14.1.7

Gitlab ≫ Gitlab SwEditioncommunity Version >= 14.2.0 < 14.2.5

Gitlab ≫ Gitlab SwEditionenterprise Version >= 14.2.0 < 14.2.5

Gitlab ≫ Gitlab Version14.3.0 SwEditioncommunity

Gitlab ≫ Gitlab Version14.3.0 SwEditionenterprise

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.28%	0.511

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.5	0.9	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
nvd@nist.gov	2.1	3.9	2.9	AV:N/AC:H/Au:S/C:P/I:N/A:N
cve@gitlab.com	6	0.5	5.5	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39895.json

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/337824

Broken Link

https://hackerone.com/reports/1272535

Third Party Advisory

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2021-39895

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-39895

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-39895

EUVD