Unrated severityNVD Advisory· Published Oct 4, 2021· Updated Aug 4, 2024

CVE-2021-39899

Description

In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations.

Affected products

GitLab Inc./CE/EEllm-fuzzy
Range: *
osv-coords
pkg:bitnami/gitlab
Range: >= 1.0.0, < 14.1.7
GitLab Inc./GitLabv5
Range: >=1.0, <14.1.7

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39899.jsonmitrex_refsource_CONFIRM
gitlab.com/gitlab-org/gitlab/-/issues/339154mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000