CVE-2021-39908: Code Injection
First published: Fri Apr 01 2022(Updated: )
In all versions of GitLab CE/EE starting from 0.8.0 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 certain Unicode characters can be abused to commit malicious code into projects without being noticed in merge request or source code viewer UI.
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab | >=0.8.0<14.2.6 | |
| GitLab | >=0.8.0<14.2.6 | |
| GitLab | >=14.3.0<14.3.4 | |
| GitLab | >=14.3.0<14.3.4 | |
| GitLab | =14.4.0 | |
| GitLab | =14.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-39908?
CVE-2021-39908 has been classified as a medium severity vulnerability.
How do I fix CVE-2021-39908?
To fix CVE-2021-39908, update GitLab to the latest version that is not affected by this vulnerability.
Which versions are affected by CVE-2021-39908?
CVE-2021-39908 affects all versions of GitLab CE/EE starting from 0.8.0 before 14.2.6 and specific ranges from 14.3 and 14.4.
What is the impact of CVE-2021-39908?
CVE-2021-39908 allows attackers to commit malicious code without detection in merge requests or source code.
Is there a workaround for CVE-2021-39908?
The best approach for CVE-2021-39908 is to upgrade to a patched version of GitLab, as no effective workaround is available.
- agent/type
- agent/references
- agent/weakness
- agent/author
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/gitlab
- canonical/gitlab
- version/gitlab/0.8.0
- version/gitlab/14.3.0
- version/gitlab/14.4.0