CVE-2021-22203

2021-04-0216:16:15

GitLab

www.cve.org

gitlab ce/ee

version 13.7.9

version 13.8.7

version 13.9

version 13.9.5

version 13.10

arbitrary file read

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N

AI Score

9.4

Confidence

High

EPSS

0.004

Percentile

73.4%

JSON

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions starting from 13.9 before 13.9.5, and all versions starting from 13.10 before 13.10.1. A specially crafted Wiki page allowed attackers to read arbitrary files on the server.

CNA Affected

[
  {
    "product": "GitLab",
    "vendor": "GitLab",
    "versions": [
      {
        "status": "affected",
        "version": ">=13.10, <13.10.1"
      },
      {
        "status": "affected",
        "version": ">=13.9, <13.9.5"
      },
      {
        "status": "affected",
        "version": ">=13.7.9, <13.8.7"
      }
    ]
  }
]