CVE-2021-39908
MEDIUMGitLab 0.8.0-14.2.5, 14.3.0-14.3.3, 14.4.0 - Code Injection via Unicode Character Obfuscation
Title source: llmDescription
In all versions of GitLab CE/EE starting from 0.8.0 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 certain Unicode characters can be abused to commit malicious code into projects without being noticed in merge request or source code viewer UI.
References (3)
Core 3
Core References
Broken Link x_refsource_misc
https://gitlab.com/gitlab-org/gitlab/-/issues/337193
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1280077
Vendor Advisory x_refsource_confirm
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39908.json
Scores
CVSS v3
6.5
EPSS
0.0018
EPSS Percentile
39.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-94
Status
published
Products (2)
gitlab/gitlab
14.4.0 (2 CPE variants)
gitlab/gitlab
0.8.0 - 14.2.6 (2 CPE variants)
Published
Apr 01, 2022
Tracked Since
Feb 18, 2026