CVE-2021-39895

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-39895
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-39895.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-39895
Aliases
Downstream
Published
2021-11-05T00:15:10.280Z
Modified
2026-04-10T04:37:31.902225Z
Severity
  • 4.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source.

References

Affected packages

Git / gitlab.com/gitlab-org/gitlab

Affected ranges

Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
b50421f8650a390aa637da68c7e0138dd764fdf3
Fixed
9cd657e5179e339171d27e4573b8f5711db1d824
Introduced
b50421f8650a390aa637da68c7e0138dd764fdf3
Fixed
9cd657e5179e339171d27e4573b8f5711db1d824
Introduced
38bbb40bb77dd3e0f0281c4363e2ef298e650c42
Fixed
72c1da0383a35604f4b2d73a7ed8e6a2c4ee64b1
Introduced
38bbb40bb77dd3e0f0281c4363e2ef298e650c42
Fixed
72c1da0383a35604f4b2d73a7ed8e6a2c4ee64b1
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
dec73e99fddac59c0bf816dc4bffd2a30abae6de
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
dec73e99fddac59c0bf816dc4bffd2a30abae6de
Database specific 
{
    "versions": [
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "14.1.7"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "14.1.7"
        },
        {
            "introduced": "14.2.0"
        },
        {
            "fixed": "14.2.5"
        },
        {
            "introduced": "14.2.0"
        },
        {
            "fixed": "14.2.5"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "14.3.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "14.3.0"
        }
    ]
}

Affected versions

Other
11-10-0cfa69752d8-0d9531c80-ee
11-10-0cfa69752d8-74ffd66ae-ee
11-10-119f9509d50-6d7537235-ee
v1.*
v1.2.0
v1.2.0pre
v1.2.1
v1.2.2
v14.*
v14.1.0-ee
v14.1.0-rc42-ee
v14.1.0-rc43-ee
v14.1.1-ee
v14.1.3-ee
v14.1.5-ee
v14.1.6-ee
v14.2.0-ee
v14.2.1-ee
v14.2.3-ee
v14.2.4-ee
v14.3.0-ee
v14.3.0-rc42-ee
v2.*
v2.3.0
v2.3.0pre
v2.3.1
v2.4.0
v2.4.0pre
v2.4.1
v2.5.0
v2.6.0
v2.6.0pre
v2.6.1
v2.6.2
v2.6.3
v2.7.0
v2.7.0pre
v2.8.0
v2.8.0pre
v2.8.1
v2.8.2
v2.9.0
v2.9.1
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.1.0
v4.*
v4.0.0
v4.0.0rc1
v4.0.0rc2
v5.*
v5.0.0
v5.1.0
v5.2.0
v6.*
v6.0.0-ee
v6.0.0-ee.beta
v6.0.0-ee.rc1
v6.1.0-ee
v6.3.0-ee
v6.3.1-ee
v6.4.0-ee
v6.5.0-ee
v6.6.0-ee
v6.7.0-ee
v6.7.0.rc1-ee
v6.8.0-ee
v7.*
v7.0.0-ee
v7.1.0-ee
v7.1.0.rc1-ee
v7.2.0.rc1-ee
v7.2.0.rc2-ee
v7.2.0.rc3-ee
v7.2.0.rc4-ee
v7.2.0.rc5-ee
v7.3.0-ee
v7.3.0.rc1-ee

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-39895.json"