CVE-2021-39899
4.2
MEDIUM
CVSS 3.1
EPSS 0.07%
描述
In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations.
如何修補 CVE-2021-39899
要修補 CVE-2021-39899,請將受影響套件升級到下列已修補版本。
- —升級至 14.1.7 或更新版本
CVE-2021-39899 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 1.0.0, < 14.1.7, >= 14.2.0, < 14.2.5, >= 14.3.0, < 14.3.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.2 | CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |