CVE-2021-39888: 
GitLab vulnerability analysis and mitigation

In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1, a specific API endpoint vulnerability was discovered that could reveal sensitive information. The vulnerability allowed unauthorized access to details about private groups and other sensitive information contained within issue and merge request templates (GitLab Security Release, CVE Details).

The vulnerability exists in GitLab's API endpoint implementation where improper access controls allowed low-privileged users to access sensitive information. The issue was assigned a CVSS v3.1 score of 4.3 (Medium severity) with attack vector being Network, requiring low privileges and no user interaction (AttackerKB).

When exploited, the vulnerability could expose details about private groups and sensitive information contained within issue and merge request templates. This information disclosure could potentially reveal internal project details and confidential data to unauthorized users (GitLab Security Release).

GitLab addressed this vulnerability in versions 14.3.1, 14.2.5, and 14.1.7. Users are strongly recommended to upgrade to these versions or later to mitigate the risk. The fix was released on September 30, 2021, as part of a security release (GitLab Security Release).

The vulnerability was responsibly disclosed through GitLab's bug bounty program on HackerOne by security researcher @0xn3va. GitLab acknowledged the finding and promptly released patches to address the issue (GitLab Security Release).