CVE-2021-39899

low-risk
Published 2021-10-04

In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations.

Do I need to act?

-
0.07% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
2
CVSS 2.9/10 Low
PHYSICAL / HIGH complexity

Affected Products (2)

Affected Vendors

Gitlab

References (4)

Vendor Advisory https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39899.json
Broken Link https://gitlab.com/gitlab-org/gitlab/-/issues/339154
Vendor Advisory https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39899.json
Broken Link https://gitlab.com/gitlab-org/gitlab/-/issues/339154
15
/ 100
low-risk
Severity 8/34 · Low
Exploitability 0/34 · Minimal
Exposure 7/34 · Low