CVE-2021-39899
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-39899
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-39899.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-39899
- Aliases
- Related
- Published
- 2021-10-04T17:15:08Z
- Modified
- 2025-01-14T09:54:47.197288Z
- Severity
-
- 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations.
- References
Affected packages
Git / gitlab.com/gitlab-org/gitlab
Affected ranges
- Type
- GIT
- Repo
- https://gitlab.com/gitlab-org/gitlab
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
11-10-0cfa69752d8-0d9531c80-ee
11-10-0cfa69752d8-74ffd66ae-ee
11-10-119f9509d50-6d7537235-ee
v1.*
v1.0.2
v1.1.0pre
v1.2.0
v1.2.0pre
v1.2.1
v1.2.2
v10.*
v10.1.0.pre
v10.2.0.pre
v10.3.0.pre
v10.4.0.pre
v10.5.0.pre
v10.6.0.pre
v10.7.0.pre
v10.8.0.pre
v10.9.0.pre
v11.*
v11.0.0.pre
v11.1.0.pre
v11.2.0.pre
v11.3.0.pre
v14.*
v14.1.0-ee
v14.1.0-rc42-ee
v14.1.0-rc43-ee
v14.1.1-ee
v14.1.2-ee
v14.1.3-ee
v14.1.4-ee
v14.1.5-ee
v14.1.6-ee
v2.*
v2.0.0
v2.1.0
v2.2.0
v2.2.0pre
v2.3.0
v2.3.0pre
v2.3.1
v2.4.0
v2.4.0pre
v2.4.1
v2.5.0
v2.6.0
v2.6.0pre
v2.6.1
v2.6.2
v2.6.3
v2.7.0
v2.7.0pre
v2.8.0
v2.8.0pre
v2.8.1
v2.8.2
v2.9.0
v2.9.1
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.1.0
v4.*
v4.0.0
v4.0.0rc1
v4.0.0rc2
v5.*
v5.0.0
v5.1.0
v5.2.0
v5.3.0
v6.*
v6.0.0
v6.0.0-ee
v6.0.0-ee.beta
v6.0.0-ee.rc1
v6.1.0-ee
v6.2.0
v6.2.1
v6.2.2
v6.3.0
v6.3.0-ee
v6.3.1-ee
v6.4.0
v6.4.0-ee
v6.4.0.pre1
v6.4.0.pre2
v6.4.0.pre3
v6.4.1
v6.4.2
v6.4.3
v6.5.0
v6.5.0-ee
v6.5.0.rc1
v6.5.1
v6.6.0
v6.6.0-ee
v6.6.0.pre1
v6.6.0.rc1
v6.6.1
v6.6.2
v6.7.0-ee
v6.7.0.rc1
v6.7.0.rc1-ee
v6.7.1
v6.7.2
v6.8.0
v6.8.0-ee
v6.8.0.rc1
v6.8.1
v6.9.0.rc1
v7.*
v7.0.0
v7.0.0-ee
v7.0.0.rc1
v7.1.0
v7.1.0-ee
v7.1.0.rc1
v7.1.0.rc1-ee
v7.2.0.rc1
v7.2.0.rc1-ee
v7.2.0.rc2
v7.2.0.rc2-ee
v7.2.0.rc3
v7.2.0.rc3-ee
v7.2.0.rc4
v7.2.0.rc4-ee
v7.2.0.rc5
v7.2.0.rc5-ee
v7.3.0
v7.3.0-ee
v7.3.0.rc1
v7.3.0.rc1-ee
v7.4.0
v7.4.0-ee
v7.4.1
v7.4.1-ee
v7.4.2
v7.4.2-ee
v7.4.3
v7.4.3-ee
v7.4.4-ee
v8.*
v8.10.0.pre
v8.11.0
v8.11.0-ee
v8.11.0-rc1
v8.11.0-rc1-ee
v8.11.0-rc2
v8.11.0-rc2-ee
v8.11.0-rc3
v8.11.0-rc3-ee
v8.11.0-rc4
v8.11.0-rc4-ee
v8.11.0-rc5
v8.11.0-rc5-ee
v8.11.0-rc6
v8.11.0-rc6-ee
v8.11.0-rc7
v8.11.0-rc7-ee
v8.11.0.pre
v8.11.1
v8.12.0
v8.12.0-ee
v8.12.0-rc1
v8.12.0-rc1-ee
v8.12.0-rc2
v8.12.0-rc2-ee
v8.12.0-rc3
v8.12.0-rc3-ee
v8.12.0-rc4
v8.12.0-rc4-ee
v8.12.0-rc5
v8.12.0-rc5-ee
v8.12.0-rc6
v8.12.0-rc6-ee
v8.12.0-rc7
v8.12.0-rc7-ee
v8.12.0.pre
v8.12.1
v8.12.1-ee
v8.12.2
v8.12.2-ee
v8.12.3-ee
v8.13.0.pre
v8.14.0.pre
v8.15.0.pre
v8.16.0.pre
v8.17.0.pre
v8.18.0.pre
v8.2.0-ee
v8.2.0.rc1
v8.2.0.rc1-ee
v8.2.0.rc2
v8.2.0.rc2-ee
v8.4.0.rc1
v8.8.0
v8.8.0-ee
v8.8.0-rc1
v8.8.0-rc1-ee
v8.8.0-rc2
v8.8.0-rc2-ee
v8.8.1-ee
v9.*
v9.1.0.pre
v9.2.0.pre
v9.3.0.pre
v9.5.0.pre
v9.6.0.pre