Vulnerability Description
A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE all versions starting from 11.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to deny access to all users via specially crafted requests to the apollo_upload_server middleware.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gitlab | Gitlab | < 14.0.9 |
References
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39880.jsonVendor Advisory
- https://gitlab.com/gitlab-org/gitlab/-/issues/330561Broken Link
- https://hackerone.com/reports/1181284Permissions RequiredThird Party Advisory
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39880.jsonVendor Advisory
- https://gitlab.com/gitlab-org/gitlab/-/issues/330561Broken Link
- https://hackerone.com/reports/1181284Permissions RequiredThird Party Advisory
FAQ
What is CVE-2021-39880?
CVE-2021-39880 is a vulnerability with a CVSS score of 6.5 (MEDIUM). A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE all versions starting from 11.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions st...
How severe is CVE-2021-39880?
CVE-2021-39880 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-39880?
Check the references section above for vendor advisories and patch information. Affected products include: Gitlab Gitlab.