CVE-2021-39909

Published: Nov 5, 2021Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 1.6 / Impact: 3.6

Source: NVD

Description

Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE starting from 11.3 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker to bypass CODEOWNERS Merge Request approval requirement under rare circumstances

Affected (5)

Products: Gitlab: Gitlab

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 11.3.0 to 14.2.6
Gitlab Gitlab	From 14.3.0 to 14.3.4
Gitlab Gitlab	Version 14.4.0

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 11.2.0 to 14.3.4

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 11.3.0 to 14.4.1

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (6)

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39909.json

Source: cve@gitlab.com

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/335191

Source: cve@gitlab.com

Broken Link

https://hackerone.com/reports/1237750

Source: cve@gitlab.com

Permissions RequiredThird Party Advisory

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39909.json

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/335191

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://hackerone.com/reports/1237750

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredThird Party Advisory

Timeline

No history available yet.