CVE-2021-39899

Name of the Vulnerable Software and Affected Versions GitLab CE/EE (affected versions not specified)

Description An attacker with physical access to a user's machine may brute force the user's password via the change password function. Although there is a rate limit in place, the attack can still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses, passing in the compromised session value from these various locations.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.