BIT-gitlab-2021-39899

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/gitlab/BIT-gitlab-2021-39899.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-gitlab-2021-39899
Aliases
Published
2024-03-06T11:18:10.111Z
Modified
2024-03-06T11:25:28.861Z
Summary
[none]
Details

In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations.

References

Affected packages

Bitnami / gitlab

Package

Name
gitlab
Purl
pkg:bitnami/gitlab

Severity

  • 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
1.0.0
Fixed
14.1.7
Introduced
14.2.0
Fixed
14.2.5
Introduced
14.3.0
Fixed
14.3.1