CVE-2021-39901: 
GitLab vulnerability analysis and mitigation

In all versions of GitLab CE/EE since version 11.10, an admin of a group can see the SCIM token of that group by visiting a specific endpoint. This vulnerability was assigned CVE-2021-39901 and has been given a CVSS 3.1 Base Score of 2.7 (LOW) (NVD).

The vulnerability is characterized by improper access control that allows group administrators to view SCIM (System for Cross-domain Identity Management) tokens through a specific endpoint. The vulnerability has been assigned a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility, low attack complexity, high privileges required, no user interaction needed, unchanged scope, low confidentiality impact, and no impact on integrity or availability (GitLab Release).

The impact of this vulnerability is considered low severity as it only affects confidentiality and requires high privileges (group admin access) to exploit. The vulnerability could potentially lead to unauthorized access to SCIM tokens, which are used for identity management operations (NVD).

The vulnerability has been fixed in GitLab versions 14.4.1, 14.3.4, and 14.2.6. Organizations running affected versions of GitLab CE/EE should upgrade to one of these patched versions immediately (GitLab Release).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by security researcher @ngalog (GitLab Release).