Lucene search

GoogleOSV:BIT-GITLAB-2021-39939

HistoryMar 06, 2024 - 11:17 a.m.

BIT-gitlab-2021-39939

2024-03-0611:17:23

Google

osv.dev

uncontrolled resource consumption

gitlab runner

versions 13.7-14.5.2

attacker-triggered job

docker image

exhaust resources

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.4

Confidence

Low

EPSS

0.001

Percentile

35.0%

JSON

An uncontrolled resource consumption vulnerability in GitLab Runner affecting all versions starting from 13.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker triggering a job with a specially crafted docker image to exhaust resources on runner manager

References

gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39939.json

gitlab.com/gitlab-org/gitlab-runner/-/issues/28630

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.4

Confidence

Low

EPSS

0.001

Percentile

35.0%

JSON

Related for OSV:BIT-GITLAB-2021-39939