GitLab up to 14.0.8/14.1.3/14.2.1 Route /user.keys information disclosure

Summaryinfo

A vulnerability was found in GitLab up to 14.0.8/14.1.3/14.2.1. It has been declared as problematic. This vulnerability affects unknown code of the file /user.keys of the component Route Handler. Executing a manipulation can lead to information disclosure. This vulnerability appears as CVE-2021-22257. The attack may be performed from remote. There is no available exploit. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability was found in GitLab up to 14.0.8/14.1.3/14.2.1 (Bug Tracking Software). It has been declared as problematic. This vulnerability affects some unknown processing of the file /user.keys of the component Route Handler. The manipulation with an unknown input leads to a information disclosure vulnerability. The CWE definition for the vulnerability is CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. As an impact it is known to affect confidentiality.

The weakness was presented 10/06/2021 as 23832. The advisory is shared for download at gitlab.com. This vulnerability was named CVE-2021-22257 since 01/05/2021. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1592.

Upgrading to version 14.0.9, 14.1.4 or 14.2.2 eliminates this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Bug Tracking Software

Name

• GitLab

Version

• 14.0.0
• 14.0.1
• 14.0.2
• 14.0.3
• 14.0.4
• 14.0.5
• 14.0.6
• 14.0.7
• 14.0.8
• 14.1.0
• 14.1.1
• 14.1.2
• 14.1.3
• 14.2.0
• 14.2.1

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion