CVE-2021-39947

5.3MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab Runner
Vendor: CVE Published:; 6 June 2022

Summary

In specific circumstances, trace file buffers in GitLab Runner versions up to 14.3.4, 14.4 to 14.4.2, and 14.5 to 14.5.2 would re-use the file descriptor 0 for multiple traces and mix the output of several jobs

Affected Version(s)

GitLab Runner <14.3.4 < 14.3.4

GitLab Runner >=14.4, <14.4.2 < 14.4, 14.4.2

GitLab Runner >=14.5, <14.5.2 < 14.5, 14.5.2

References

https://gitlab.com/gitlab-org/gitlab-runner/-/issues/28732

x_refsource_MISC

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 6, 2022
Vulnerability Reserved
Aug 23, 2021

Collectors

NVD DatabaseMitre Database

Credit

This vulnerability has been discovered internally by the GitLab team