CVE-2021-39899
Last modified
CVE-2021-39899 is a medium-severity vulnerability rated 4.2/10 on the CVSS scale. In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations.. EPSS estimates a 0.25% chance of exploitation in the next 30 days.
Description
In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations.
Metrics
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Gitlab | Gitlab | >= 1.0.0, < 14.1.7 |
| Gitlab | Gitlab | >= 14.2, < 14.2.5 |
| Gitlab | Gitlab | >= 14.3, < 14.3.1 |
References
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-39899?
How severe is CVE-2021-39899?
How do I fix CVE-2021-39899?
Are you affected by CVE-2021-39899?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST