Home > Vulnerability Database > CVE-2021-39899

Mend.io Vulnerability Database

CVE-2021-39899

Good to know:

Date: October 4, 2021

In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations.

Language: Ruby

Severity Score

4.2

Related Resources (5)

Url: https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39899.json

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-39899

Url: https://gitlab.com/gitlab-org/gitlab/-/issues/339154

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2021-39899

Url: https://www.mend.io/vulnerability-database/CVE-2021-39899

Severity Score

4.2

Weakness Type (CWE)

Weak Password Recovery Mechanism for Forgotten Password

CWE-640

Top Fix

Upgrade Version

Upgrade to version v14.1.7, v14.2.5, v14.3.1

Learn More

CVSS v3.1

Base Score:	4.2
Attack Vector (AV):	PHYSICAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	1.9
Access Vector (AV):	LOCAL
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-39899

Good to know:

Date: October 4, 2021

Language: Ruby

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?