Lucene search

Veracode Vulnerability DatabaseVERACODE:42268

HistoryAug 06, 2023 - 2:24 p.m.

Improper Authentication

2023-08-0614:24:33

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

gitlab

improper authentication

vulnerability

api token

malicious link

insufficient validation

software

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

0.002 Low

EPSS

Percentile

56.4%

JSON

gitlab is vulnerable to Improper Authentication. The vulnerability allows a malicious attacker to steal a users API token via a malicious link due to insufficient validation.

CPENameOperatorVersion
gitlab:sideq13.4.7-2
gitlab:sideq13.3.9-1
gitlab:sideq13.4.7-2
gitlab:sideq13.3.9-1

Name	Operator	Version
gitlab:sid	eq	13.4.7-2
gitlab:sid	eq	13.3.9-1
gitlab:sid	eq	13.4.7-2
gitlab:sid	eq	13.3.9-1

References

gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22171.json

gitlab.com/gitlab-org/gitlab-pages/-/issues/262

hackerone.com/reports/718460

security-tracker.debian.org/tracker/CVE-2021-22171

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

0.002 Low

EPSS

Percentile

56.4%

JSON

Related for VERACODE:42268