CVE-2021-39895

Sažetak

In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source.

Reference

https://hackerone.com/reports/1272535
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39895.json
https://gitlab.com/gitlab-org/gitlab/-/issues/337824

CVSS

Base:	2.1
Impact:	2.9
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	HIGH	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:H/Au:S/C:P/I:N/A:N

Zadnje važnije ažuriranje

08-11-2021 - 17:42

Objavljeno

05-11-2021 - 00:15