CVE-2021-39903

CVE-2021-39903

Name

CVE-2021-39903

Description

In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://hackerone.com/reports/1086781
CONFIRM	https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39903.json
MISC	https://gitlab.com/gitlab-org/gitlab/-/issues/300017

Type

URI

MISC

https://hackerone.com/reports/1086781

CONFIRM

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39903.json

MISC

https://gitlab.com/gitlab-org/gitlab/-/issues/300017

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:gitlab:gitlab:::::community:::*`	gitlab	>= 13.0.0	< 14.2.6
`cpe:2.3:a:gitlab:gitlab:::::community:::*`	gitlab	>= 14.3.0	< 14.3.4
`cpe:2.3:a:gitlab:gitlab:14.4.0::::community:::`	gitlab	== None	== 14.4.0

CPE URI

Source package

Min version

Max version

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*

gitlab

>= 13.0.0

< 14.2.6

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*

gitlab

>= 14.3.0

< 14.3.4

cpe:2.3:a:gitlab:gitlab:14.4.0:*:*:*:community:*:*:*

gitlab

== None

== 14.4.0

References

Match rules

Vulnerable and fixed packages