CVE-2021-39927

Summary

CVE	CVE-2021-39927
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-01-18 17:15:00 UTC
Updated	2022-09-03 03:30:00 UTC
Description	Server side request forgery protections in GitLab CE/EE versions between 8.4 and 14.4.4, between 14.5.0 and 14.5.2, and between 14.6.0 and 14.6.1 would fail to protect against attacks sending requests to localhost on port 80 or 443 if GitLab was configured to run on a port other than 80 or 443

Risk And Classification

Problem Types: CWE-918

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Gitlab	Gitlab	All	All	All	All
Application	Gitlab	Gitlab	All	All	All	All
Application	Gitlab	Gitlab	All	All	All	All
Application	Gitlab	Gitlab	All	All	All	All
Application	Gitlab	Gitlab	All	All	All	All
Application	Gitlab	Gitlab	All	All	All	All

References

Reference	Source	Link	Tags
2021/CVE-2021-39927.json · master · GitLab.org / cves · GitLab	CONFIRM	gitlab.com
Not Found	MISC	gitlab.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: This vulnerability has been discovered internally by the GitLab team

Legacy QID Mappings

379226 GitLab Multiple Security Vulnerabilities (gitlab- 14.6.2, 14.5.3, 14.4.5)
690770 Free Berkeley Software Distribution (FreeBSD) Security Update for gitlab (43f84437-73ab-11ec-a587-001b217b3468)