CVE-2021-39935
Published: 13 December 2021
Summary
CVE-2021-39935 is a medium-severity SSRF (CWE-918) vulnerability in Gitlab Gitlab. Its CVSS base score is 6.8 (Medium).
Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2021-39935 is a server-side request forgery vulnerability tracked under CWE-918 that affects the CI Lint API in GitLab Community Edition and Enterprise Edition. The flaw impacts all versions from 10.5 up to but not including 14.3.6, all versions from 14.4 up to but not including 14.4.4, and all versions from 14.5 up to but not including 14.5.2. It carries a CVSS 3.1 score of 6.8 with the vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N.
Unauthorized external users can exploit the issue by submitting crafted requests to the CI Lint API, enabling them to initiate server-side requests to arbitrary internal or external resources. This allows potential access to sensitive data or internal services that would otherwise be unreachable from outside the network.
Public advisories and the associated GitLab issue direct users to upgrade to the fixed releases 14.3.6, 14.4.4, or 14.5.2 (or later) to remediate the vulnerability. No additional configuration changes or workarounds are specified in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-26291
Vulnerability details
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the…
more
CI Lint API
- CWE(s)
- KEV Date Added
- 03 February 2026
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces authorization checks on the CI Lint API so that only permitted users can submit requests, directly blocking the unauthorized external user path described in the CVE.
Requires validation of all inputs to the CI Lint API (especially URLs/targets), preventing crafted SSRF payloads from being accepted and processed.
Boundary-protection mechanisms can restrict the application server's ability to initiate arbitrary outbound requests to internal or external resources, limiting SSRF impact.