CVE-2021-39900 - OpenCVE

Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gitlab	Gitlab

Configuration 1 [-]

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:14.3.0::::community:::
	cpe:2.3:a:gitlab:gitlab:14.3.0::::enterprise:::

No data.

References

Link	Providers
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39900.json
https://gitlab.com/gitlab-org/gitlab/-/issues/325088

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitLab

Published: 2021-10-04T16:45:45

Updated: 2024-08-04T02:20:33.699Z

Reserved: 2021-08-23T00:00:00

Link: CVE-2021-39900

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-10-04T17:15:08.413

Modified: 2022-07-12T17:42:04.277

Link: CVE-2021-39900

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "GitLab", "vendor": "GitLab", "versions": [{"status": "affected", "version": ">=10.8, <14.1.7"}, {"status": "affected", "version": ">=14.2, <14.2.5"}, {"status": "affected", "version": ">=14.3, <14.3.1"}]}], "credits": [{"lang": "en", "value": "This vulnerability has been discovered internally by the GitLab team"}], "descriptions": [{"lang": "en", "value": "Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Information exposure in GitLab", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-10-04T16:45:45", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/325088"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39900.json"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@gitlab.com", "ID": "CVE-2021-39900", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "GitLab", "version": {"version_data": [{"version_value": ">=10.8, <14.1.7"}, {"version_value": ">=14.2, <14.2.5"}, {"version_value": ">=14.3, <14.3.1"}]}}]}, "vendor_name": "GitLab"}]}}, "credit": [{"lang": "eng", "value": "This vulnerability has been discovered internally by the GitLab team"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information exposure in GitLab"}]}]}, "references": {"reference_data": [{"name": "https://gitlab.com/gitlab-org/gitlab/-/issues/325088", "refsource": "MISC", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/325088"}, {"name": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39900.json", "refsource": "CONFIRM", "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39900.json"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:20:33.699Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/325088"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39900.json"}]}]}, "cveMetadata": {"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2021-39900", "datePublished": "2021-10-04T16:45:45", "dateReserved": "2021-08-23T00:00:00", "dateUpdated": "2024-08-04T02:20:33.699Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "018E5854-4757-42B1-8C78-1CD2903E6FFD", "versionEndExcluding": "14.1.7", "versionStartIncluding": "10.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "24E7D2D9-8143-455A-81AB-620515030293", "versionEndExcluding": "14.1.7", "versionStartIncluding": "10.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "CAB23F69-59A2-430F-A082-A5F81A7A464C", "versionEndExcluding": "14.2.5", "versionStartIncluding": "14.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "CD7E2FAA-308F-450F-8990-52A7DEB8ED00", "versionEndExcluding": "14.2.5", "versionStartIncluding": "14.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:14.3.0:*:*:*:community:*:*:*", "matchCriteriaId": "3E754C1F-3FB2-4387-8523-19896FDE7A14", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:14.3.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "ED0EDF4C-4350-476E-A6C4-C2FEFC2078D8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs."}, {"lang": "es", "value": "Una divulgaci\u00f3n de informaci\u00f3n de SendEntry en GitLab a partir de la versi\u00f3n 10.8, permit\u00eda la exposici\u00f3n de la URL completa de los artefactos almacenados en el almacenamiento de objetos con una disponibilidad temporal por medio de los registros de Rails"}], "id": "CVE-2021-39900", "lastModified": "2022-07-12T17:42:04.277", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 1.4, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2021-10-04T17:15:08.413", "references": [{"source": "cve@gitlab.com", "tags": ["Third Party Advisory"], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39900.json"}, {"source": "cve@gitlab.com", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/325088"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}]}