CVE-2021-39909

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-39909

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-39909.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-39909

Aliases

BIT-gitlab-2021-39909

Published

2021-11-05T00:15:11.147Z

Modified

2026-04-10T04:37:33.796086Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE starting from 11.3 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker to bypass CODEOWNERS Merge Request approval requirement under rare circumstances

References

Affected packages

Git / gitlab.com/gitlab-org/gitlab

Affected ranges

Type

GIT

Repo

https://gitlab.com/gitlab-org/gitlab

Events

Introduced

1bbe39452664021af90851aef8527ce5e850343e

Fixed

9ed95b96a6766af9336048a63a29b678f88a9413

Introduced

dec73e99fddac59c0bf816dc4bffd2a30abae6de

Fixed

3e776d83389c706fb81973736e57ca6a6fb952fc

Introduced

Last affected

19c719febd74b6edf549bf6a2c0e36bf8f176d56

Introduced

44dbeccbe1039cb1d42d8502655ffb0bce3ae803

Fixed

3e776d83389c706fb81973736e57ca6a6fb952fc

Introduced

1bbe39452664021af90851aef8527ce5e850343e

Fixed

abc23a14bace184532d1d344c4d230d9fc99eba6

Database specific

{
    "versions": [
        {
            "introduced": "11.3.0"
        },
        {
            "fixed": "14.2.6"
        },
        {
            "introduced": "14.3.0"
        },
        {
            "fixed": "14.3.4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "14.4.0"
        },
        {
            "introduced": "11.2.0"
        },
        {
            "fixed": "14.3.4"
        },
        {
            "introduced": "11.3.0"
        },
        {
            "fixed": "14.4.1"
        }
    ]
}

Affected versions

Other

11-10-0cfa69752d8-0d9531c80-ee

11-10-0cfa69752d8-74ffd66ae-ee

11-10-119f9509d50-6d7537235-ee

v1.*

v1.2.0

v1.2.0pre

v1.2.1

v1.2.2

v14.*

v14.2.0-ee

v14.2.0-rc42-ee

v14.2.1-ee

v14.2.3-ee

v14.2.4-ee

v14.3.0-ee

v14.3.2-ee

v14.3.3-ee

v14.4.0-ee

v14.4.0-rc42-ee

v14.4.0-rc43-ee

v14.4.0-rc44-ee

v14.4.0-rc45-ee

v2.*

v2.3.0

v2.3.0pre

v2.3.1

v2.4.0

v2.4.0pre

v2.4.1

v2.5.0

v2.6.0

v2.6.0pre

v2.6.1

v2.6.2

v2.6.3

v2.7.0

v2.7.0pre

v2.8.0

v2.8.0pre

v2.8.1

v2.8.2

v2.9.0

v2.9.1

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.1.0

v4.*

v4.0.0

v4.0.0rc1

v4.0.0rc2

v5.*

v5.0.0

v5.1.0

v5.2.0

v6.*

v6.0.0-ee

v6.0.0-ee.beta

v6.0.0-ee.rc1

v6.1.0-ee

v6.3.0-ee

v6.3.1-ee

v6.4.0-ee

v6.5.0-ee

v6.6.0-ee

v6.7.0-ee

v6.7.0.rc1-ee

v6.8.0-ee

v7.*

v7.0.0-ee

v7.1.0-ee

v7.1.0.rc1-ee

v7.2.0.rc1-ee

v7.2.0.rc2-ee

v7.2.0.rc3-ee

v7.2.0.rc4-ee

v7.2.0.rc5-ee

v7.3.0-ee

v7.3.0.rc1-ee

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-39909.json"