Vulnerability CVE-2021-39909


Published: 2021-11-05

Description:
Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE since version 11.3 allows an attacker to bypass CODEOWNERS Merge Request approval requirement under rare circumstances

Type:

CWE-347

(Improper Verification of Cryptographic Signature)

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
Gitlab -> Gitlab 

 References:
https://hackerone.com/reports/1237750
https://gitlab.com/gitlab-org/gitlab/-/issues/335191
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39909.json

Copyright 2022, cxsecurity.com

 

Back to Top