CVE-2021-39911
LowCVSS 1.7Exploitation Probability (EPSS)
Low risk45th percentile — higher than 45% of all known CVEs
Summary
All versions of GitLab CE/EE from 13.9 before 14.2.6, from 14.3 before 14.3.4, and from 14.4 before 14.4.1 have an improper access control flaw that exposes private email addresses of Issue and Merge Requests assignees to Webhook data consumers.
Risk Assessment
Organizations may be exposed to the disclosure of private user information, potentially leading to privacy breaches and loss of trust.
Recommendation
It is recommended to upgrade GitLab to the latest version to mitigate this security vulnerability.
Original NVD description (English source)
An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers

