CVE-2021-39894

Name

CVE-2021-39894

Description

In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://gitlab.com/gitlab-org/gitlab/-/issues/214399
CONFIRM	https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39894.json

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:gitlab:gitlab:::::community:::*`	gitlab	>= 8.0.0	< 14.1.7
`cpe:2.3:a:gitlab:gitlab:::::community:::*`	gitlab	>= 14.2.0	< 14.2.5
`cpe:2.3:a:gitlab:gitlab:14.3.0::::community:::`	gitlab	== None	== 14.3.0

References

Match rules

Vulnerable and fixed packages