CVE-2021-39886
First published: Tue Oct 05 2021(Updated: )
Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing users to read confidential Epic references.
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab | >=10.6.0<14.1.7 | |
| GitLab | >=10.6.0<14.1.7 | |
| GitLab | >=14.2.0<14.2.5 | |
| GitLab | >=14.2.0<14.2.5 | |
| GitLab | >=14.3.0<14.3.1 | |
| GitLab | >=14.3.0<14.3.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-39886?
CVE-2021-39886 is classified as a high severity vulnerability due to improper permissions management.
How do I fix CVE-2021-39886?
To fix CVE-2021-39886, upgrade your GitLab instance to version 14.1.8 or higher, or to 14.2.6 or higher.
What are the affected versions for CVE-2021-39886?
CVE-2021-39886 affects GitLab versions from 10.6 up to 14.1.7, as well as 14.2.0 to 14.2.5, and 14.3.0 to 14.3.1.
What type of information is at risk due to CVE-2021-39886?
CVE-2021-39886 allows unauthorized users to read confidential Epic references when moving issues between projects.
Who is impacted by CVE-2021-39886?
Any user on affected GitLab instances who has access to projects within the same group may be impacted by CVE-2021-39886.
- agent/references
- agent/type
- agent/weakness
- agent/author
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/gitlab
- canonical/gitlab
- version/gitlab/10.6.0
- version/gitlab/14.2.0
- version/gitlab/14.3.0