Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13NnB2LWM3NTctNnJncs4AAqLL
apollo_upload_server has Denial of Service vulnerability
A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE version 11.11 and above allows an attacker to deny access to all users via specially crafted requests to the apollo_upload_server middleware.
Permalink: https://github.com/advisories/GHSA-w6pv-c757-6rgrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13NnB2LWM3NTctNnJncs4AAqLL
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-w6pv-c757-6rgr, CVE-2021-39880
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-39880
- https://hackerone.com/reports/1181284
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39880.json
- https://gitlab.com/gitlab-org/gitlab/-/issues/330561
- https://github.com/jetruby/apollo_upload_server-ruby/pull/44
- https://github.com/jetruby/apollo_upload_server-ruby/commit/b0582c1a3e458eee3c994fb38278bd0221f20486
- https://github.com/jetruby/apollo_upload_server-ruby/releases/tag/2.1.0
- https://gitlab.com/gitlab-org/gitlab/-/issues/330561#note_642879964
- https://vuldb.com/?id.183842
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/apollo_upload_server/CVE-2021-39880.yml
- https://github.com/advisories/GHSA-w6pv-c757-6rgr
Blast Radius: 19.0
Affected Packages
rubygems:apollo_upload_server
Dependent packages: 1Dependent repositories: 825
Downloads: 29,022,561 total
Affected Version Ranges: < 2.1.0
Fixed in: 2.1.0
All affected versions: 0.1.0, 1.0.0, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5
All unaffected versions: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5