cvedb.io
CVE-2021-39899
LOW · CVSS 2.9
EPSS exploitation probability: 0%
Published 2021-10-04T17:15:08.357 · Last modified 2026-06-17T04:04:23.230

Summary

In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations.

Affected products

gitlab — gitlab

Does this affect you?

Add your gear to cvedb and we'll alert you only when gitlab ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.