Base Score

MEDIUM5.3

CVE-2021-39897

Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to still have access even after the subgroup is transferred

VectorNETWORK

Published Bycve@gitlab.com

Published DateNov 05, 2021, 00:15

Weakness Type (CWE):CWE-281

CVSS Metrics

Base Score

5.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

NONE

Availability (A)

NONE

References

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39897.json
https://gitlab.com/gitlab-org/gitlab/-/issues/341017
https://hackerone.com/reports/1330806

Base Score

MEDIUM5.3

Weakness Type (CWE):CWE-281

CVSS Metrics

Base Score

5.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

NONE

Availability (A)

NONE