CVE-2021-39880
MEDIUMGitLab 11.9-13.12, 14.0-14.0.8, 14.1-14.1.3, 14.2-14.2.1 - Denial of Service via Apollo Upload Server Middleware
Title source: llmDescription
A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE all versions starting from 11.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to deny access to all users via specially crafted requests to the apollo_upload_server middleware.
References (3)
Core 3
Core References
Broken Link x_refsource_misc
https://gitlab.com/gitlab-org/gitlab/-/issues/330561
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1181284
Vendor Advisory x_refsource_confirm
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39880.json
Scores
CVSS v3
6.5
EPSS
0.0039
EPSS Percentile
59.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
Status
published
Products (2)
gitlab/gitlab
11.9.0 - 14.0.9 (2 CPE variants)
rubygems/apollo_upload_server
0 - 2.1.0RubyGems
Published
Oct 05, 2021
Tracked Since
Feb 18, 2026