Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to see the names of project access tokens on arbitrary projects
References
Link | Resource |
---|---|
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39915.json | Vendor Advisory |
https://gitlab.com/gitlab-org/gitlab/-/issues/340803 | Broken Link |
https://hackerone.com/reports/1336059 | Permissions Required Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
16 Dec 2021, 02:43
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : 5.0
v3 : 5.3 |
CWE | CWE-668 | |
References | (MISC) https://hackerone.com/reports/1336059 - Permissions Required, Third Party Advisory | |
References | (MISC) https://gitlab.com/gitlab-org/gitlab/-/issues/340803 - Broken Link | |
References | (CONFIRM) https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39915.json - Vendor Advisory |
13 Dec 2021, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-12-13 16:15
Updated : 2023-12-10 14:09
NVD link : CVE-2021-39915
Mitre link : CVE-2021-39915
CVE.ORG link : CVE-2021-39915
JSON object : View
Products Affected
gitlab
- gitlab
CWE
CWE-668
Exposure of Resource to Wrong Sphere