CVE Vulnerabilities

CVE-2021-22257

Published: Oct 05, 2021 | Modified: Oct 09, 2021
CVSS 3.x
5.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. The route for /user.keys is not restricted on instances with public visibility disabled. This allows user enumeration on such instances.

Affected Software

Name Vendor Start Version End Version
Gitlab Gitlab 14.0.0 (including) 14.0.9 (excluding)
Gitlab Gitlab 14.1.0 (including) 14.1.4 (excluding)
Gitlab Gitlab 14.2.0 (including) 14.2.2 (excluding)
Gitlab Ubuntu esm-apps/xenial *
Gitlab Ubuntu xenial *

References