Lucene search

GoogleOSV:BIT-GITLAB-2021-39898

HistoryMar 06, 2024 - 11:18 a.m.

BIT-gitlab-2021-39898

2024-03-0611:18:11

Google

osv.dev

gitlab

project export

external webhook

token leak

version 10.6

software

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.5

Confidence

Low

EPSS

0.001

Percentile

40.3%

JSON

In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from.

References

gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39898.json

gitlab.com/gitlab-org/gitlab/-/issues/33734

hackerone.com/reports/698068

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.5

Confidence

Low

EPSS

0.001

Percentile

40.3%

JSON

Related for OSV:BIT-GITLAB-2021-39898