CVE-2021-39898: 
GitLab vulnerability analysis and mitigation

In all versions of GitLab CE/EE since version 10.6, a project export functionality contained a vulnerability that exposed external webhook token values. This vulnerability was discovered and reported through GitLab's HackerOne bug bounty program and was assigned CVE-2021-39898. The issue was patched in GitLab versions 14.4.1, 14.3.4, and 14.2.6 released on October 28, 2021 (GitLab Security Release).

The vulnerability stems from the project export functionality leaking the external_webhook_token value in the exported project data. This token is used for authenticating webhook requests and computing HMAC signatures for pipeline triggers. The issue was rated as low severity with a CVSS score of 3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) (GitLab Security Release).

The exposure of the external webhook token could allow unauthorized access to the project from which it was exported, even after an attacker no longer has legitimate access to the project. This could potentially enable an attacker to trigger CI pipelines without proper authorization (GitLab Security Release).

The vulnerability was fixed in GitLab versions 14.4.1, 14.3.4, and 14.2.6. Users are strongly recommended to upgrade to one of these versions or later to mitigate the issue. The fix involved removing the external_webhook_token from project exports (GitLab Security Release).

The vulnerability was responsibly disclosed through GitLab's bug bounty program by researcher @xanbanx. GitLab addressed the issue promptly through their security release process (GitLab Security Release).