CVE-2021-39889

2021-10-0514:15:07

Google

osv.dev

6.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.8%

JSON

In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch.

CPENameOperatorVersion
gitlabeq14.1.1-ee
gitlabeq14.1.4-ee
gitlabeq14.1.0-ee
gitlabeq14.1.5-ee
gitlabeq14.1.6-ee
gitlabeq14.1.2-ee
gitlabeq14.1.3-ee

Name	Operator	Version
gitlab	eq	14.1.1-ee
gitlab	eq	14.1.4-ee
gitlab	eq	14.1.0-ee
gitlab	eq	14.1.5-ee
gitlab	eq	14.1.6-ee
gitlab	eq	14.1.2-ee
gitlab	eq	14.1.3-ee

References

gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39889.json

gitlab.com/gitlab-org/gitlab/-/issues/338062

hackerone.com/reports/1294017