← back
CVE-2021-39881

CVE-2021-39881

CVSS 3.5 LOWEPSS 0.8%
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 3.5EPSS 0.8%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
05 Oct 2021Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Affected products
GitLab · GitLab

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39881.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/26695https://hackerone.com/reports/494530