4.2

CVE-2021-39899

In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GitlabGitlab SwEditioncommunity Version >= 1.0.0 < 14.1.7
GitlabGitlab SwEditionenterprise Version >= 1.0.0 < 14.1.7
GitlabGitlab SwEditioncommunity Version >= 14.2 < 14.2.5
GitlabGitlab SwEditionenterprise Version >= 14.2 < 14.2.5
GitlabGitlab SwEditioncommunity Version >= 14.3 < 14.3.1
GitlabGitlab SwEditionenterprise Version >= 14.3 < 14.3.1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.07% 0.223
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.2 0.5 3.6
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 1.9 3.4 2.9
AV:L/AC:M/Au:N/C:P/I:N/A:N
cve@gitlab.com 2.9 0.4 2.5
CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
CWE-640 Weak Password Recovery Mechanism for Forgotten Password

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.