CVE-2021-22171 log

Severity High
Remote Yes
Type Authentication bypass
Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ would allow stealing a user's API access token. The issue is mitigated in GitLab version 13.7.2, 13.6.4, and 13.5.6.

Note: A way to bypass the fix released in GitLab version 13.7.2, 13.6.4, and 13.5.6 has been found and was subsequently fixed in version 13.7.4, 13.6.5, and 13.5.7.
Group Package Affected Fixed Severity Status Ticket
AVG-1416 gitlab 13.7.1-1 13.7.2-1 High Fixed
Date Advisory Group Package Severity Type
12 Jan 2021 ASA-202101-10 AVG-1416 gitlab High multiple issues