CVE-2021-39872: 
GitLab vulnerability analysis and mitigation

In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired passwords to still access GitLab through git and API through access tokens acquired before password expiration (GitLab Security Release, NVD). The vulnerability was discovered and reported through GitLab's HackerOne bug bounty program.

The vulnerability is classified as a medium severity issue with a CVSS v3.1 base score of 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). The issue stems from improper validation of expired password status when using previously acquired access tokens. Users whose passwords have expired can continue to access the full API functionality and Git operations using tokens that were created before the password expiration (GitLab Security Release).

The vulnerability allows users with expired passwords to maintain unauthorized access to GitLab's functionality through API and Git operations using previously created access tokens. This bypasses the intended security control of password expiration and could potentially allow continued access to sensitive resources even after administrative password expiration actions (GitLab Security Release).

The vulnerability has been fixed in GitLab versions 14.3.1, 14.2.5, and 14.1.7. Organizations are strongly recommended to upgrade to these or later versions immediately. There are no known workarounds for this vulnerability other than upgrading to a patched version (GitLab Security Release).