DIVD-2021-00030 - GitLab Unauthenticated RCE Flaw
| Our reference | DIVD-2021-00030 |
| Case lead | Victor Gevers |
| Author | Jeroen van de Weerd |
| Researcher(s) | |
| CVE(s) | |
| Product | GitLab Community Edition (CE) and Enterprise Edition (EE) |
| Versions | all versions starting from 11.9 |
| Recommendation | Upgrade to 13.8.8, 13.9.6, and 13.10.3 |
| Patch status | Full patched |
| Status | Closed |
| Last modified | 12 Aug 2022 11:21 CEST |
Summary
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
What you can do
If you run GitLab CE/EE version starting from 11.9, upgrade to the latest version as soon as possible.
What we are doing
We are processing the list of vulnerable gitlab servers. We have sent the first notifications by email.
Timeline
| Date | Description |
|---|---|
| 14 Apr 2021 | CVE-2021-22205 Reported by the Gitlab team. |
| 29 Oct 2021 | POC released on Gitlab |
| 09 Nov 2021 | DIVD got a list of vulnerable gitlab servers, from security researchers at Censys |
| 11 Nov 2021 | First version of this case file |
| 13 Nov 2021 | Validating the received data |
| 15 Nov 2021 | First notifications sent out |
| 23 Nov 2021 | DIVD got a second list with vulnerable gitlab servers |
| 23 Nov 2021 | Validating the second received data |
| 24 Nov 2021 | DIVD sent out a second batch of notifications |
| 27 Nov 2021 | DIVD has released an NMAP script to test for this vulnerability on its GitHub |
| 29 Dec 2021 | With two rounds of notifications sent out, and a change making it no longer possible to reliably verify if systems are still vulnerable we’ve exhausted our means to notify for this case. |
gantt
title DIVD-2021-00030 - GitLab Unauthenticated RCE Flaw
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2021-00030 - GitLab Unauthenticated RCE Flaw (58 days) :2021-11-01, 2021-12-29
section Events
CVE-2021-22205 Reported by the Gitlab team. : milestone, 2021-04-14, 0d
POC released on Gitlab : milestone, 2021-10-29, 0d
DIVD got a list of vulnerable gitlab servers, from security researchers at Censys : milestone, 2021-11-09, 0d
First version of this case file : milestone, 2021-11-11, 0d
Validating the received data : milestone, 2021-11-13, 0d
First notifications sent out : milestone, 2021-11-15, 0d
DIVD got a second list with vulnerable gitlab servers : milestone, 2021-11-23, 0d
Validating the second received data : milestone, 2021-11-23, 0d
DIVD sent out a second batch of notifications : milestone, 2021-11-24, 0d
DIVD has released an NMAP script to test for this vulnerability on its GitHub : milestone, 2021-11-27, 0d
With two rounds of notifications sent out, and a change making it no longer possible to reliably verify if systems are still vulnerable we’ve exhausted our means to notify for this case. : milestone, 2021-12-29, 0d
More information
- GitLab Critical Security Release: 13.10.3, 13.9.6, and 13.8.8
- GitLab servers are being exploited in DDoS attacks in excess of 1 Tbps
- CVE-2021-22205: It Was A GitLab Smash