CVE-2021-39935

high-risk
Published 2021-12-13

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API

Do I need to act?

!
41.4% chance of exploitation in next 30 days
EPSS score — higher than 59% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.8/10 Medium
NETWORK / HIGH complexity

Affected Products (2)

Affected Vendors

Gitlab

References (7)

Third Party Advisory https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39935.json
Issue Tracking https://gitlab.com/gitlab-org/gitlab/-/issues/346187
Permissions Required https://hackerone.com/reports/1236965
Third Party Advisory https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39935.json
Issue Tracking https://gitlab.com/gitlab-org/gitlab/-/issues/346187
Permissions Required https://hackerone.com/reports/1236965
US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-...
52
/ 100
high-risk
Severity 21/34 · High
Exploitability 24/34 · High
Exposure 7/34 · Low