CVE-2021-39919: 
GitLab vulnerability analysis and mitigation

In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure (GitLab Release, NVD).

The vulnerability is classified as medium severity with a CVSS v3.1 base score of 4.4 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N). The issue involves sensitive information being exposed in system logs, specifically the reset password token and new user email token, which could potentially be accessed by unauthorized parties (NVD).

The exposure of reset password tokens and new user email tokens in logs could lead to unauthorized access to user accounts if these logs are compromised. This information disclosure could potentially allow attackers to intercept password reset processes or new user registration workflows (GitLab Release).

The vulnerability has been fixed in GitLab versions 14.3.6, 14.4.4, and 14.5.2. Users are strongly recommended to upgrade to one of these patched versions immediately. GitLab.com has already been updated to run the patched version (GitLab Release).