CVE-2021-39899

LOW

Gitlab < 14.1.7 - Password Reset Weakness

Title source: rule

Description

In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations.

References (2)

[Broken Link] https://gitlab.com/gitlab-org/gitlab/-/issues/339154

[Vendor Advisory] https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39899.json

Scores

CVSS v3 2.9

EPSS 0.0007

EPSS Percentile 21.8%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Details

CWE

CWE-640

Status published

Products (1)

gitlab/gitlab 1.0.0 - 14.1.7 (2 CPE variants)

Published Oct 04, 2021

Tracked Since Feb 18, 2026