Lucene search

Ubuntu.comUB:CVE-2021-22172

HistoryMar 26, 2021 - 12:00 a.m.

CVE-2021-22172

2021-03-2600:00:00

ubuntu.com

gitlab

improper authorization

guest user

private project

tag data

releases page

unix

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

34.4%

JSON

Improper authorization in GitLab 12.8+ allows a guest user in a private
project to view tag data that should be inaccessible on the releases page

References

about.gitlab.com/releases/2021/02/01/security-release-gitlab-13-8-2-released/

launchpad.net/bugs/cve/CVE-2021-22172

nvd.nist.gov/vuln/detail/CVE-2021-22172

security-tracker.debian.org/tracker/CVE-2021-22172

www.cve.org/CVERecord?id=CVE-2021-22172

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

34.4%

JSON

Related for UB:CVE-2021-22172