Vulnerability Description
Improper validation of invited users' email address in GitLab EE affecting all versions since 12.2 allowed projects to add members with email address domain that should be blocked by group settings
CVSS Score
4.3
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gitlab | Gitlab | >= 12.2.0, < 13.12.9 |
Related Weaknesses (CWE)
References
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22251.jsonVendor Advisory
- https://gitlab.com/gitlab-org/gitlab/-/issues/14004ExploitIssue TrackingVendor Advisory
- https://hackerone.com/reports/679567Permissions RequiredThird Party Advisory
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22251.jsonVendor Advisory
- https://gitlab.com/gitlab-org/gitlab/-/issues/14004ExploitIssue TrackingVendor Advisory
- https://hackerone.com/reports/679567Permissions RequiredThird Party Advisory
FAQ
What is CVE-2021-22251?
CVE-2021-22251 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Improper validation of invited users' email address in GitLab EE affecting all versions since 12.2 allowed projects to add members with email address domain that should be blocked by group settings
How severe is CVE-2021-22251?
CVE-2021-22251 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-22251?
Check the references section above for vendor advisories and patch information. Affected products include: Gitlab Gitlab.