CVE-2021-39899
CVSS V2 Low 1.9
CVSS V3 Medium 4.2
Description
In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations.
Overview
- CVE ID
- CVE-2021-39899
- Assigner
- cve@gitlab.com
- Vulnerability Status
- Analyzed
- Published Version
- 2021-10-04T17:15:08
- Last Modified Date
- 2021-10-12T14:25:59
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* | 1 | OR | 1.0.0 | 14.1.7 |
| cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* | 1 | OR | 1.0.0 | 14.1.7 |
| cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* | 1 | OR | 14.2 | 14.2.5 |
| cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* | 1 | OR | 14.2 | 14.2.5 |
| cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* | 1 | OR | 14.3 | 14.3.1 |
| cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* | 1 | OR | 14.3 | 14.3.1 |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:L/AC:M/Au:N/C:P/I:N/A:N
- Access Vector
- LOCAL
- Access Compatibility
- MEDIUM
- Authentication
- NONE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- NONE
- Availability Impact
- NONE
- Base Score
- 1.9
- Severity
- LOW
- Exploitability Score
- 3.4
- Impact Score
- 2.9
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- Attack Vector
- PHYSICAL
- Attack Compatibility
- HIGH
- Privileges Required
- NONE
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- NONE
- Base Score
- 4.2
- Base Severity
- MEDIUM
- Exploitability Score
- 0.5
- Impact Score
- 3.6
References
| Reference URL | Reference Tags |
|---|---|
| https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39899.json | Vendor Advisory |
| https://gitlab.com/gitlab-org/gitlab/-/issues/339154 | Broken Link |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2021-39899 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39899 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 06:51:54 | Added to TrackCVE | |||
| 2022-12-05 11:44:04 | 2021-10-04T17:15Z | 2021-10-04T17:15:08 | CVE Published Date | updated |
| 2022-12-05 11:44:04 | 2021-10-12T14:25:59 | CVE Modified Date | updated | |
| 2022-12-05 11:44:04 | Analyzed | Vulnerability Status | updated |