Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-22214Server-Side Request Forgery in Gitlab

CWE-918Server-Side Request Forgery8 documents8 sources
Severity
8.6HIGHNVD
VulnCheck6.8
EPSS
93.8%
top 0.14%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
GitlabDebian GitlabGitlab CE
Timeline
PublishedJun 8
Latest updateMar 11

Description

When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:NExploitability: 3.9 | Impact: 4.0

Affected Packages5 packages

NVDgitlab/gitlab10.513.10.5+2
debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)
CVEListV5gitlab/gitlab>=10.5, <13.10.5, >=13.11, <13.11.5, >=13.12, <13.12.2+2
gitlabgitlab/gitlab

🔴Vulnerability Details

3
GHSA
GHSA-6jpw-pq5v-3x7w: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions sta2022-05-24
OSV
CVE-2021-22214: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions sta2021-06-08
VulnCheck
GitLab gitlab Server-Side Request Forgery (SSRF)2021

💥Exploits & PoCs

1
Nuclei
Gitlab CE/EE 10.5 - Server-Side Request Forgery

📋Vendor Advisories

2
GitLab
CVE-2021-22214: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions sta2021-06-08
Debian
CVE-2021-22214: gitlab - When requests to the internal network for webhooks are enabled, a server-side re...2021

🕵️Threat Intelligence

1
Greynoiseio
New SSRF Exploitation Surge Serves as a Reminder of 2019 Capital One Breach2025-03-11