CVE-2021-39896

Description

In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as the second user they impersonated, which may lead to repudiation issues.

How to fix CVE-2021-39896

To remediate CVE-2021-39896, upgrade the affected package to a fixed version below.

Bitnami/gitlab—upgrade to 14.1.7 or later

Is CVE-2021-39896 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 8.0.0, < 14.1.7, >= 14.2.0, < 14.2.5, >= 14.3.0, < 14.3.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

References (3)

WEBgitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39896.json
WEBgitlab.com/gitlab-org/gitlab/-/issues/339362
WEBnvd.nist.gov/vuln/detail/CVE-2021-39896