CVE-2021-39896

Description

In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as the second user they impersonated, which may lead to repudiation issues.

Related CPE's

a gitlab gitlab ****community ***

a gitlab gitlab ****enterprise ***

a gitlab gitlab ****community ***

a gitlab gitlab ****enterprise ***

a gitlab gitlab ****community ***

a gitlab gitlab ****enterprise ***

References

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39896.json

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/339362

Broken Link

CvssV3 impact

BaseSeverity	LOW
ConfidentialityImpact	LOW
AttackComplexity	LOW
Scope	UNCHANGED
AttackVector	NETWORK
AvailabilityImpact	NONE
IntegrityImpact	LOW
PrivilegesRequired	HIGH
BaseScore	3.8
VectorString	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Version	3.1
UserInteraction	NONE

CvssV2 impact

AccessComplexity	LOW
ConfidentialityImpact	PARTIAL
AvailabilityImpact	NONE
IntegrityImpact	PARTIAL
BaseScore	5.5
VectorString	AV:N/AC:L/Au:S/C:P/I:P/A:N
Version	2.0
AccessVector	NETWORK
Authentication	SINGLE

Created by Yello

About Severity.io