Insecure Direct Object Reference Vulnerability in GitLab EE: Exposing Protected Branch Names

Insecure Direct Object Reference Vulnerability in GitLab EE: Exposing Protected Branch Names

CVE-2021-39889 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch.

Learn more about our Api Penetration Testing.