CVE-2021-39895 - OpenCVE

In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:H/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Gitlab	Gitlab

Configuration 1 [-]

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:14.3.0::::community:::
	cpe:2.3:a:gitlab:gitlab:14.3.0::::enterprise:::

References

Link	Resource
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39895.json	Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/337824	Broken Link
https://hackerone.com/reports/1272535	Permissions Required Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitLab

Published: 2021-11-04T23:11:51

Updated: 2021-11-04T23:11:51

Reserved: 2021-08-23T00:00:00

Link: CVE-2021-39895

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-11-05T00:15:10.280

Modified: 2021-11-08T17:42:14.660

Link: CVE-2021-39895

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "GitLab", "vendor": "GitLab", "versions": [{"status": "affected", "version": ">=8.0, <14.1.7"}, {"status": "affected", "version": ">=14.2, <14.2.5"}, {"status": "affected", "version": ">=14.3, <14.3.1"}]}], "credits": [{"lang": "en", "value": "Thanks @justas_b for reporting this vulnerability through our HackerOne bug bounty program."}], "descriptions": [{"lang": "en", "value": "In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Configuration in GitLab", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-11-04T23:11:51", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/337824"}, {"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/1272535"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39895.json"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@gitlab.com", "ID": "CVE-2021-39895", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "GitLab", "version": {"version_data": [{"version_value": ">=8.0, <14.1.7"}, {"version_value": ">=14.2, <14.2.5"}, {"version_value": ">=14.3, <14.3.1"}]}}]}, "vendor_name": "GitLab"}]}}, "credit": [{"lang": "eng", "value": "Thanks @justas_b for reporting this vulnerability through our HackerOne bug bounty program."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Configuration in GitLab"}]}]}, "references": {"reference_data": [{"name": "https://gitlab.com/gitlab-org/gitlab/-/issues/337824", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/337824"}, {"name": "https://hackerone.com/reports/1272535", "refsource": "MISC", "url": "https://hackerone.com/reports/1272535"}, {"name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39895.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39895.json"}]}}}}, "cveMetadata": {"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2021-39895", "datePublished": "2021-11-04T23:11:51", "dateReserved": "2021-08-23T00:00:00", "dateUpdated": "2021-11-04T23:11:51", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "108BFCA8-3661-485A-BD06-27FA8999BB50", "versionEndExcluding": "14.1.7", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "4B4A8EE5-32B8-4DFB-9431-01A76FF04037", "versionEndExcluding": "14.1.7", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "CAB23F69-59A2-430F-A082-A5F81A7A464C", "versionEndExcluding": "14.2.5", "versionStartIncluding": "14.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "CD7E2FAA-308F-450F-8990-52A7DEB8ED00", "versionEndExcluding": "14.2.5", "versionStartIncluding": "14.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:14.3.0:*:*:*:community:*:*:*", "matchCriteriaId": "3E754C1F-3FB2-4387-8523-19896FDE7A14", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:14.3.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "ED0EDF4C-4350-476E-A6C4-C2FEFC2078D8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source."}, {"lang": "es", "value": "En todas las versiones de GitLab CE/EE desde versi\u00f3n 8.0, un atacante puede configurar las programaciones de tuber\u00edas para que est\u00e9n activas en una exportaci\u00f3n de proyectos, de modo que cuando un propietario desprevenido importa ese proyecto, las tuber\u00edas est\u00e1n activas por defecto en ese proyecto. Bajo condiciones especializadas, esto puede conllevar a una divulgaci\u00f3n de informaci\u00f3n si el proyecto es importado desde una fuente no confiable"}], "id": "CVE-2021-39895", "lastModified": "2021-11-08T17:42:14.660", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.5, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2021-11-05T00:15:10.280", "references": [{"source": "cve@gitlab.com", "tags": ["Vendor Advisory"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39895.json"}, {"source": "cve@gitlab.com", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/337824"}, {"source": "cve@gitlab.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://hackerone.com/reports/1272535"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}