Skip to the content.

GitLab Unauthenticated RCE Flaw

11 Nov 2021 - Jeroen van de Weerd

Today we opened case DIVD-2021-00030 to address a vulnerability known as CVE-2021-22205 in GitLab Community Edition (CE) and Enterprise Edition (EE) affecting all versions starting from 11.9. GitLab was not properly validating image files that is passed to a file parser, this resulted in a remote command execution (RCE).

We have received a list of GitLab servers running a vulnerable version of GitLab from security researchers at Censys.io who previously wrote a blog post about this (https://censys.io/blog/cve-2021-22205-it-was-a-gitlab-smash/). We have validated these findings by manually verifying a representative sample, and are now sending out notifications. On November 23, we received a second list of vulnerable Gitlab servers from Censys. We also manually validated this data. Notifications are being sent.