CVE-2021-22186
First published: Wed Mar 24 2021(Updated: )
An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab | >=9.4.0<13.7.8 | |
| GitLab | >=9.4.0<13.7.8 | |
| GitLab | >=13.8.0<13.8.5 | |
| GitLab | >=13.8.0<13.8.5 | |
| GitLab | >=13.9.0<13.9.2 | |
| GitLab | >=13.9.0<13.9.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-22186?
CVE-2021-22186 has a medium severity rating due to the unauthorized modification of CI/CD variables by group maintainers.
How do I fix CVE-2021-22186?
To fix CVE-2021-22186, upgrade GitLab to version 13.7.9 or later for versions between 9.4 and 13.7, and to version 13.8.6 or later for versions between 13.8 and 13.8.5.
Which versions of GitLab are affected by CVE-2021-22186?
CVE-2021-22186 affects GitLab CE/EE versions from 9.4.0 up to 13.9.2.
Who can exploit CVE-2021-22186?
An attacker with group maintainer privileges can exploit CVE-2021-22186 to modify restricted CI/CD variables.
What is the impact of CVE-2021-22186 on GitLab users?
The impact of CVE-2021-22186 could allow unauthorized access to modify sensitive CI/CD configurations, leading to potential security risks.
- agent/references
- agent/type
- agent/weakness
- agent/author
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/gitlab
- canonical/gitlab
- version/gitlab/9.4.0
- version/gitlab/13.8.0
- version/gitlab/13.9.0