CVE Catalog

CVE-2021-39911

LowCVSS 1.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

45th percentile — higher than 45% of all known CVEs

Summary

All versions of GitLab CE/EE from 13.9 before 14.2.6, from 14.3 before 14.3.4, and from 14.4 before 14.4.1 have an improper access control flaw that exposes private email addresses of Issue and Merge Requests assignees to Webhook data consumers.

Risk Assessment

Organizations may be exposed to the disclosure of private user information, potentially leading to privacy breaches and loss of trust.

Recommendation

It is recommended to upgrade GitLab to the latest version to mitigate this security vulnerability.

Original NVD description (English source)

An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers

Vulnerability data from NVD (NIST) · CISA KEV · EPSS