CVE-2021-39881
LOWGitLab 7.7.0-14.1.7 - OAuth Scope Spoofing via Arbitrary Scope Names
Title source: llmDescription
In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description.
References (3)
Core 3
Core References
Broken Link x_refsource_misc
https://gitlab.com/gitlab-org/gitlab/-/issues/26695
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/494530
Vendor Advisory x_refsource_confirm
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39881.json
Scores
CVSS v3
3.5
EPSS
0.0025
EPSS Percentile
48.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Details
Status
published
Products (1)
gitlab/gitlab
7.7.0 - 14.1.7 (2 CPE variants)
Published
Oct 05, 2021
Tracked Since
Feb 18, 2026