CVE-2021-39939

An uncontrolled resource consumption vulnerability in GitLab Runner affecting all versions starting from 13.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker triggering a job with a specially crafted docker image to exhaust resources on runner manager
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
GitLabCNA
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
VendorProductVersion
gitlabgitlab
13.7.0 ≤
𝑥
< 14.3.6
gitlabgitlab
13.7.0 ≤
𝑥
< 14.3.6
gitlabgitlab
14.4.0 ≤
𝑥
< 14.4.4
gitlabgitlab
14.4.0 ≤
𝑥
< 14.4.4
gitlabgitlab
14.5.0 ≤
𝑥
< 14.5.2
gitlabgitlab
14.5.0 ≤
𝑥
< 14.5.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gitlab-ci-multi-runner
sid
14.10.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gitlab-ci-multi-runner
noble
dne
mantic
dne
focal
needs-triage
bionic
needs-triage
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39939.json
https://gitlab.com/gitlab-org/gitlab-runner/-/issues/28630
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39939.json
https://gitlab.com/gitlab-org/gitlab-runner/-/issues/28630