Insufficient Session Expiration in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2021-39899
Published: October 5, 2021
Vulnerability identifier: #VU57050
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-39899
CWE-ID: CWE-613
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: GitLab, Inc
Affected software:
Gitlab Community Edition
GitLab Enterprise Edition
Gitlab Community Edition
GitLab Enterprise Edition
Detailed vulnerability description
The vulnerability allows a local attacker to gain access to sensitive information.
The vulnerability exists due to lack of account lockout on change password functionality. An attacker with physical access can brute force the user’s password.
How to mitigate CVE-2021-39899
Install updates from vendor's website.