cbcvebase.
CVE-2021-22205
published 2021-04-23

CVE-2021-22205: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a…

PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
99.73%
100.0th percentile
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiangitlab< gitlab 15.10.8+ds1-2 (sid)gitlab 15.10.8+ds1-2 (sid)
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab>= 11.9.0 < 13.8.813.8.8
gitlabgitlab>= 13.10.0 < 13.10.313.10.3
gitlabgitlab>= 13.9.0 < 13.9.613.9.6
gitlabgitlab_ce

Detection & IOCsextracted from sources · hover to see the quote

versionGitLab CE/EE < 13.8.8, < 13.9.6, < 13.10.3
  • CVE-2021-22205 is exploited via unauthenticated file upload to GitLab; monitor for image file uploads that trigger ExifTool parsing, resulting in command execution as the 'git' user.
  • GitLab servers exploited via CVE-2021-22205 have been observed being recruited into DDoS botnets capable of attacks over 1TB/s; monitor for anomalous outbound traffic from GitLab hosts.
  • CVE-2021-22205 has been chained with CVE-2021-22204 in Cerber ransomware attacks to upload and execute code remotely on GitLab servers; monitor for unauthorized code execution in the context of the 'git' account.
  • CVE-2021-22205 exploitation involves passing malicious image files to a file parser (ExifTool); alert on GitLab processes spawning unexpected child processes from image/file upload handling code paths.
  • Cloudflare observed a Mirai-type DDoS attack involving GitLab servers infected through CVE-2021-22205; correlate GitLab server compromise indicators with Mirai botnet C2 traffic patterns.
  • ·The vulnerability affects all GitLab CE/EE versions starting from 11.9; only versions 13.10.3, 13.9.6, and 13.8.8 (and later) are patched. Ensure GitLab instances are upgraded to a patched version.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv10.0CRITICAL
vulncheck10.0CRITICAL
cisa10.0CRITICAL
vendor_debian10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.