5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
39.0%
In all versions of GitLab CE/EE starting from 0.8.0 before 14.2.6, all
versions starting from 14.3 before 14.3.4, and all versions starting from
14.4 before 14.4.1 certain Unicode characters can be abused to commit
malicious code into projects without being noticed in merge request or
source code viewer UI.
gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39908.json
gitlab.com/gitlab-org/gitlab/-/issues/337193
hackerone.com/reports/1280077
launchpad.net/bugs/cve/CVE-2021-39908
nvd.nist.gov/vuln/detail/CVE-2021-39908
security-tracker.debian.org/tracker/CVE-2021-39908
www.cve.org/CVERecord?id=CVE-2021-39908
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
39.0%