CVE-2021-39927
LOWGitLab 8.4-14.4.4, 14.5.0-14.5.2, 14.6.0-14.6.1 - Server-Side Request Forgery via Localhost Port 80/443
Title source: llmDescription
Server side request forgery protections in GitLab CE/EE versions between 8.4 and 14.4.4, between 14.5.0 and 14.5.2, and between 14.6.0 and 14.6.1 would fail to protect against attacks sending requests to localhost on port 80 or 443 if GitLab was configured to run on a port other than 80 or 443
References (2)
Core 2
Core References
Broken Link, Vendor Advisory x_refsource_misc
https://gitlab.com/gitlab-org/gitlab/-/issues/340476
Vendor Advisory x_refsource_confirm
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39927.json
Scores
CVSS v3
3.5
EPSS
0.0014
EPSS Percentile
34.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Details
CWE
CWE-918
Status
published
Products (1)
gitlab/gitlab
8.4 - 14.4.5 (2 CPE variants)
Published
Jan 18, 2022
Tracked Since
Feb 18, 2026