CVE-2021-39881

Sažetak

In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description.

Reference

https://hackerone.com/reports/494530
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39881.json
https://gitlab.com/gitlab-org/gitlab/-/issues/26695

CVSS

Base:	3.5
Impact:	2.9
Exploitability:	6.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:S/C:N/I:P/A:N

Zadnje važnije ažuriranje

09-10-2021 - 03:31

Objavljeno

05-10-2021 - 14:15