CVE-2021-39881 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Low
Remote	Yes
Type	Content spoofing
Description	In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2431	gitlab	14.3.0-1	14.3.1-1	High	Fixed

References
https://about.gitlab.com/releases/2021/09/30/security-release-gitlab-14-3-1-released/#create-oauth-application-with-arbitrary-scopes-through-content-spoofing https://hackerone.com/reports/494530 https://gitlab.com/gitlab-org/gitlab/-/issues/26695

References

https://about.gitlab.com/releases/2021/09/30/security-release-gitlab-14-3-1-released/#create-oauth-application-with-arbitrary-scopes-through-content-spoofing
https://hackerone.com/reports/494530
https://gitlab.com/gitlab-org/gitlab/-/issues/26695