CVE-2021-25956: Improper Authentication

August 17, 2021 (updated August 1, 2022)

Admin level users can change other user’s details but fails to validate already existing Login name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.

References

nvd.nist.gov/vuln/detail/CVE-2021-25956

Detect and mitigate CVE-2021-25956 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →