CVE-2021-39895

EUVD-2021-26251
In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6 MEDIUM
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
GitLabCNA
6 MEDIUM
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
Affected Products (NVD)
VendorProductVersion
gitlabgitlab
8.0.0 ≤
𝑥
< 14.1.7
gitlabgitlab
8.0.0 ≤
𝑥
< 14.1.7
gitlabgitlab
14.2.0 ≤
𝑥
< 14.2.5
gitlabgitlab
14.2.0 ≤
𝑥
< 14.2.5
gitlabgitlab
14.3.0
gitlabgitlab
14.3.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gitlab
sid
16.8.4-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gitlab
focal
dne
jammy
dne
mantic
dne
noble
dne
xenial
ignored
References
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39895.json
https://gitlab.com/gitlab-org/gitlab/-/issues/337824
https://hackerone.com/reports/1272535
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39895.json
https://gitlab.com/gitlab-org/gitlab/-/issues/337824
https://hackerone.com/reports/1272535