CVE-2021-39919
First published: Mon Dec 13 2021(Updated: )
In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure.
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab | >=14.0.0<14.3.6 | |
| GitLab | >=14.0.0<14.3.6 | |
| GitLab | >=14.4.0<14.4.4 | |
| GitLab | >=14.4.0<14.4.4 | |
| GitLab | >=14.5.0<14.5.2 | |
| GitLab | >=14.5.0<14.5.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-39919?
CVE-2021-39919 is considered a medium severity vulnerability due to potential information disclosure.
How do I fix CVE-2021-39919?
To mitigate CVE-2021-39919, upgrade GitLab to version 14.3.6, 14.4.4, or 14.5.2 or later.
What is the impact of CVE-2021-39919?
The impact of CVE-2021-39919 includes potential exposure of sensitive reset password tokens and new user email tokens.
Which versions of GitLab are affected by CVE-2021-39919?
CVE-2021-39919 affects all versions of GitLab CE/EE starting from 14.0 before 14.3.6, and from versions 14.4 before 14.4.4 and 14.5 before 14.5.2.
Can CVE-2021-39919 be exploited remotely?
Yes, CVE-2021-39919 can potentially be exploited remotely if the logs containing sensitive information are accessed.
- agent/references
- agent/type
- agent/weakness
- agent/author
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/gitlab
- canonical/gitlab
- version/gitlab/14.0.0
- version/gitlab/14.4.0
- version/gitlab/14.5.0