Lucene search

Veracode Vulnerability DatabaseVERACODE:42377

HistoryAug 06, 2023 - 7:54 p.m.

Information Disclosure

2023-08-0619:54:48

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

gitlab

information disclosure

view permissions

private groups

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

34.4%

JSON

gitlab is vulnerable to Information Disclosure. The vulnerability exists due to lack of view permissions on members which allows an attacker to gain access to the members of private groups.

References

gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39876.json

gitlab.com/gitlab-org/gitlab/-/issues/29683

hackerone.com/reports/627507

security-tracker.debian.org/tracker/CVE-2021-39876

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

34.4%

JSON

Related for VERACODE:42377