Vulnerability Description
In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gitlab | Gitlab | >= 14.1.0, < 14.1.7 |
Related Weaknesses (CWE)
References
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39889.jsonVendor Advisory
- https://gitlab.com/gitlab-org/gitlab/-/issues/338062Broken Link
- https://hackerone.com/reports/1294017Permissions RequiredThird Party Advisory
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39889.jsonVendor Advisory
- https://gitlab.com/gitlab-org/gitlab/-/issues/338062Broken Link
- https://hackerone.com/reports/1294017Permissions RequiredThird Party Advisory
FAQ
What is CVE-2021-39889?
CVE-2021-39889 is a vulnerability with a CVSS score of 4.3 (MEDIUM). In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API ...
How severe is CVE-2021-39889?
CVE-2021-39889 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-39889?
Check the references section above for vendor advisories and patch information. Affected products include: Gitlab Gitlab.