Description
A collision in access memoization logic in all versions of GitLab CE/EE before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, leads to potential elevated privileges in groups and projects under rare circumstances
References (2)
Core 2
Core References
Broken Link x_refsource_misc
https://gitlab.com/gitlab-org/gitlab/-/issues/336802
Third Party Advisory x_refsource_confirm
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39937.json
Scores
CVSS v3
5.9
EPSS
0.0015
EPSS Percentile
35.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Details
CWE
CWE-269
Status
published
Products (1)
gitlab/gitlab
< 14.3.6 (2 CPE variants)
Published
Dec 13, 2021
Tracked Since
Feb 18, 2026