CVE-2021-22214
published 2021-06-08CVE-2021-22214: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting…
PriorityP185high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
27.81%
97.8th percentile
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 10.5 < 13.10.5 | 13.10.5 |
| gitlab | gitlab | >= 13.11 < 13.11.5 | 13.11.5 |
| gitlab | gitlab | >= 13.12 < 13.12.2 | 13.12.2 |
| gitlab | gitlab_ce | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /api/v4/ci/lint?include_merged_yaml=true
command{"content":"include:\n remote: http://127.0.0.1/test.yml"}
command{"content": "include:\n remote: http://127.0.0.1:9100/test.yml"}
port9100
- →Look for unauthenticated POST requests to /api/v4/ci/lint?include_merged_yaml=true with a JSON body containing a 'remote:' include directive pointing to internal/loopback addresses (e.g., 127.0.0.1).
- →Alert on responses from the GitLab CI lint endpoint that return HTTP 200 with Content-Type application/json and the string 'does not have valid YAML syntax!' in the body — this indicates the SSRF request was attempted and a response was received from the internal target.
- →Use Shodan queries 'http.title:"GitLab"' or 'cpe:"cpe:2.3:a:gitlab:gitlab"' to identify exposed GitLab instances that may be targeted.
- →The exploit is unauthenticated — no session or registration token is required. Monitor for POST requests to the CI lint API from unauthenticated sources. ↗
- ·The SSRF vulnerability is only exploitable when 'requests to the internal network for webhooks' is explicitly enabled in the GitLab instance configuration. Instances with this setting disabled are not directly vulnerable via this vector. ↗
- ·This vulnerability spans multiple related CVEs (CVE-2021-39935, CVE-2021-22214, CVE-2021-22175) fixed across separate patches; detection rules should account for all three.
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv8.6HIGH
vulncheck6.8MEDIUM
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6jpw-pq5v-3x7w: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions sta
ghsa_unreviewed·2022-05-24
CVE-2021-22214 [HIGH] CWE-918 GHSA-6jpw-pq5v-3x7w: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions sta
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited
OSV
CVE-2021-22214: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions sta
osv·2021-06-08·CVSS 8.6
CVE-2021-22214 [HIGH] CVE-2021-22214: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions sta
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited
VulnCheck
GitLab gitlab Server-Side Request Forgery (SSRF)
vulncheck·2021·CVSS 6.8
CVE-2021-22214 [MEDIUM] GitLab gitlab Server-Side Request Forgery (SSRF)
GitLab gitlab Server-Side Request Forgery (SSRF)
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited
Affected: GitLab gitlab
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-12&host_type=src&vulnerability=cve-2021-22214; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-18&host_type=src&vulnerability=cve-2021-22214
GitLab
CVE-2021-22214: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions sta
vendor_gitlab·2021-06-08·CVSS 6.8
CVE-2021-22214 [MEDIUM] CWE-918 CVE-2021-22214: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions sta
CVE-2021-22214: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited
Debian
CVE-2021-22214: gitlab - When requests to the internal network for webhooks are enabled, a server-side re...
vendor_debian·2021·CVSS 6.8
CVE-2021-22214 [MEDIUM] CVE-2021-22214: gitlab - When requests to the internal network for webhooks are enabled, a server-side re...
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
No detection rules found.
Nuclei
Gitlab CE/EE 10.5 - Server-Side Request Forgery
nuclei·CVSS 9.8
CVE-2021-22214 [CRITICAL] Gitlab CE/EE 10.5 - Server-Side Request Forgery
Gitlab CE/EE 10.5 - Server-Side Request Forgery
GitLab CE/EE versions starting from 10.5 are susceptible to a server-side request forgery vulnerability when requests to the internal network for webhooks are enabled, even on a GitLab instance where registration is limited. The same vulnerability actually spans multiple CVEs, due to similar reports that were fixed across separate patches. These CVEs are:
- CVE-2021-39935
- CVE-2021-22214
- CVE-2021-22175
Template:
id: CVE-2021-22214
info:
name: Gitlab CE/EE 10.5 - Server-Side Request Forgery
author: Suman_Kar,GitLab Red Team
severity: high
description: |
GitLab CE/EE versions starting from 10.5 are susceptible to a server-side request forgery vulnerability when requests to the internal network for webhooks are enabled, even on a GitLab i
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22214.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/322926https://hackerone.com/reports/1110131https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22214.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/322926https://hackerone.com/reports/1110131
2021-06-08
Published
Exploited in the wild