cbcvebase.
CVE-2021-22214
published 2021-06-08

CVE-2021-22214: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting…

PriorityP185high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
27.81%
97.8th percentile
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited

Affected

9 ranges
VendorProductVersion rangeFixed in
debiangitlab< gitlab 15.10.8+ds1-2 (sid)gitlab 15.10.8+ds1-2 (sid)
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab>= 10.5 < 13.10.513.10.5
gitlabgitlab>= 13.11 < 13.11.513.11.5
gitlabgitlab>= 13.12 < 13.12.213.12.2
gitlabgitlab_ce

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /api/v4/ci/lint?include_merged_yaml=true
command{"content":"include:\n remote: http://127.0.0.1/test.yml"}
command{"content": "include:\n remote: http://127.0.0.1:9100/test.yml"}
port9100
  • Look for unauthenticated POST requests to /api/v4/ci/lint?include_merged_yaml=true with a JSON body containing a 'remote:' include directive pointing to internal/loopback addresses (e.g., 127.0.0.1).
  • Alert on responses from the GitLab CI lint endpoint that return HTTP 200 with Content-Type application/json and the string 'does not have valid YAML syntax!' in the body — this indicates the SSRF request was attempted and a response was received from the internal target.
  • Use Shodan queries 'http.title:"GitLab"' or 'cpe:"cpe:2.3:a:gitlab:gitlab"' to identify exposed GitLab instances that may be targeted.
  • The exploit is unauthenticated — no session or registration token is required. Monitor for POST requests to the CI lint API from unauthenticated sources.
  • ·The SSRF vulnerability is only exploitable when 'requests to the internal network for webhooks' is explicitly enabled in the GitLab instance configuration. Instances with this setting disabled are not directly vulnerable via this vector.
  • ·This vulnerability spans multiple related CVEs (CVE-2021-39935, CVE-2021-22214, CVE-2021-22175) fixed across separate patches; detection rules should account for all three.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv8.6HIGH
vulncheck6.8MEDIUM
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.