CVE-2021-39911

2021-11-0423:16:02

GitLab

www.cve.org

gitlab ce/ee

version 13.9

version 14.2.6

version 14.3

version 14.3.4

version 14.4

version 14.4.1

issue

merge requests

webhook data consumers

email address

improper access control

CVSS3

1.7

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

AI Score

5.1

Confidence

High

EPSS

0.001

Percentile

22.7%

JSON

An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers

CNA Affected

[
  {
    "product": "GitLab",
    "vendor": "GitLab",
    "versions": [
      {
        "status": "affected",
        "version": ">=13.9, <14.2.6"
      },
      {
        "status": "affected",
        "version": ">=14.3, <14.3.4"
      },
      {
        "status": "affected",
        "version": ">=14.4, <14.4.1"
      }
    ]
  }
]