Ubuntu.comUB:CVE-2021-39881CVE-2021-39881
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
3.5 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
29.8%
In all versions of GitLab CE/EE since version 7.7, the application may let
a malicious user create an OAuth client application with arbitrary scope
names which may allow the malicious user to trick unsuspecting users to
authorize the malicious client application using the spoofed scope name and
description.
References
gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39881.json
gitlab.com/gitlab-org/gitlab/-/issues/26695
hackerone.com/reports/494530
launchpad.net/bugs/cve/CVE-2021-39881
nvd.nist.gov/vuln/detail/CVE-2021-39881
security-tracker.debian.org/tracker/CVE-2021-39881
www.cve.org/CVERecord?id=CVE-2021-39881
Related
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
3.5 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
29.8%