CVE-2021-39889

CVE-2021-39889

Name

CVE-2021-39889

Description

In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://hackerone.com/reports/1294017
MISC	https://gitlab.com/gitlab-org/gitlab/-/issues/338062
CONFIRM	https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39889.json

Type

URI

MISC

https://hackerone.com/reports/1294017

MISC

https://gitlab.com/gitlab-org/gitlab/-/issues/338062

CONFIRM

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39889.json

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:gitlab:gitlab:::::enterprise:::*`	gitlab	>= 14.1.0	< 14.1.7
`cpe:2.3:a:gitlab:gitlab:::::enterprise:::*`	gitlab	>= 14.2.0	< 14.2.5
`cpe:2.3:a:gitlab:gitlab:::::enterprise:::*`	gitlab	>= 14.3.0	< 14.3.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

gitlab

>= 14.1.0

< 14.1.7

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

gitlab

>= 14.2.0

< 14.2.5

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

gitlab

>= 14.3.0

< 14.3.1

References

Match rules

Vulnerable and fixed packages