CVE-2021-39911
First published: Thu Nov 04 2021(Updated: )
An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab | >=13.9.0<14.2.6 | |
| GitLab | >=13.9.0<14.2.6 | |
| GitLab | >=14.3.0<14.3.4 | |
| GitLab | >=14.3.0<14.3.4 | |
| GitLab | =14.4.0 | |
| GitLab | =14.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-39911?
CVE-2021-39911 is classified as a medium severity vulnerability that exposes private email addresses.
How do I fix CVE-2021-39911?
To fix CVE-2021-39911, upgrade GitLab to version 14.2.6 or later, or to version 14.3.4 or later.
Who is affected by CVE-2021-39911?
All versions of GitLab CE/EE from 13.9 before 14.2.6, versions 14.3 before 14.3.4, and version 14.4 before 14.4.1 are affected by CVE-2021-39911.
What type of vulnerability is CVE-2021-39911?
CVE-2021-39911 is an improper access control flaw.
What data is exposed due to CVE-2021-39911?
CVE-2021-39911 exposes the private email addresses of Issue and Merge Requests assignees to Webhook data consumers.
- agent/references
- agent/type
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/gitlab
- canonical/gitlab
- version/gitlab/13.9.0
- version/gitlab/14.3.0
- version/gitlab/14.4.0