Insufficient Session Expiration in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2021-39899

 

Insufficient Session Expiration in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2021-39899

Published: October 5, 2021


Vulnerability identifier: #VU57050
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-39899
CWE-ID: CWE-613
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: GitLab, Inc
Affected software:
Gitlab Community Edition
GitLab Enterprise Edition

Detailed vulnerability description

The vulnerability allows a local attacker to gain access to sensitive information.

The vulnerability exists due to lack of account lockout on change password functionality. An attacker with physical access can brute force the user’s password.


How to mitigate CVE-2021-39899

Install updates from vendor's website.

Sources