CVE-2021-39919
MEDIUMGitLab 14.0-14.3.5, 14.4-14.4.3, 14.5-14.5.1 - Weak Password Recovery Mechanism via Token Logging
Title source: llmDescription
In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure.
References (2)
Core 2
Core References
Broken Link x_refsource_misc
https://gitlab.com/gitlab-org/gitlab/-/issues/342445
Vendor Advisory x_refsource_confirm
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39919.json
Scores
CVSS v3
4.4
EPSS
0.0029
EPSS Percentile
20.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-640
Status
published
Products (1)
gitlab/gitlab
14.0.0 - 14.3.6 (2 CPE variants)
Published
Dec 13, 2021
Tracked Since
Feb 18, 2026