CVE-2021-39909: 
GitLab vulnerability analysis and mitigation

Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab Enterprise Edition (EE) starting from version 11.3 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 was discovered. The vulnerability was assigned CVE-2021-39909 and was disclosed on October 28, 2021 (GitLab Release).

The vulnerability stems from improper verification of email address ownership in GitLab's CODEOWNERS feature. The CODEOWNERS file allows defining members with usernames and email addresses who can approve merge requests. However, the system failed to verify email address ownership when mapping addresses to GitLab usernames. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability allows an attacker to bypass CODEOWNERS Merge Request approval requirements under rare circumstances. If a CODEOWNERS file contains email addresses that do not have an associated GitLab account, an attacker can add that email address to their account and become a codeowner, effectively bypassing the 'Require Code Owner approval' check on protected branches (GitLab Release).

GitLab has addressed this vulnerability in versions 14.4.1, 14.3.4, and 14.2.6. Organizations are strongly recommended to upgrade to one of these patched versions immediately to prevent potential exploitation (GitLab Release).