---

CVE-2021-39881 - log back

CVE-2021-39881 edited at 04 Oct 2021 21:16:49
References	https://about.gitlab.com/releases/2021/09/30/security-release-gitlab-14-3-1-released/#create-oauth-application-with-arbitrary-scopes-through-content-spoofing + https://hackerone.com/reports/494530 + https://gitlab.com/gitlab-org/gitlab/-/issues/26695

CVE-2021-39881 edited at 30 Sep 2021 17:26:39
Severity	- Unknown + Low
Remote	- Unknown + Remote
Type	- Unknown + Content spoofing
Description	+ In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description.
References	+ https://about.gitlab.com/releases/2021/09/30/security-release-gitlab-14-3-1-released/#create-oauth-application-with-arbitrary-scopes-through-content-spoofing
Notes

CVE-2021-39881 created at 30 Sep 2021 17:14:55