Skip to the content.

DIVD-2021-00030 - GitLab Unauthenticated RCE Flaw

Our reference DIVD-2021-00030
Case lead Victor Gevers
Author Jeroen van de Weerd
Researcher(s)
CVE(s)
Product GitLab Community Edition (CE) and Enterprise Edition (EE)
Versions all versions starting from 11.9
Recommendation Upgrade to 13.8.8, 13.9.6, and 13.10.3
Patch status Full patched
Status Closed
Last modified 08 Feb 2022 20:45

Summary

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

What you can do

If you run GitLab CE/EE version starting from 11.9, upgrade to the latest version as soon as possible.

What we are doing

We are processing the list of vulnerable gitlab servers. We have sent the first notifications by email.

Timeline

Date Description
14 Apr 2021 CVE-2021-22205 Reported by the Gitlab team.
29 Oct 2021 POC released on Gitlab
09 Nov 2021 DIVD got a list of vulnerable gitlab servers, from security researchers at Censys
11 Nov 2021 First version of this case file
13 Nov 2021 Validating the received data
15 Nov 2021 First notifications sent out
23 Nov 2021 DIVD got a second list with vulnerable gitlab servers
23 Nov 2021 Validating the second received data
24 Nov 2021 DIVD sent out a second batch of notifications
27 Nov 2021 DIVD has released an NMAP script to test for this vulnerability on its GitHub
29 Dec 2021 With two rounds of notifications sent out, and a change making it no longer possible to reliably verify if systems are still vulnerable we’ve exhausted our means to notify for this case.
gantt title DIVD-2021-00030 - GitLab Unauthenticated RCE Flaw dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00030 - GitLab Unauthenticated RCE Flaw (58 days) :2021-11-01, 2021-12-29 section Events CVE-2021-22205 Reported by the Gitlab team. : milestone, 2021-04-14, 0d POC released on Gitlab : milestone, 2021-10-29, 0d DIVD got a list of vulnerable gitlab servers, from security researchers at Censys : milestone, 2021-11-09, 0d First version of this case file : milestone, 2021-11-11, 0d Validating the received data : milestone, 2021-11-13, 0d First notifications sent out : milestone, 2021-11-15, 0d DIVD got a second list with vulnerable gitlab servers : milestone, 2021-11-23, 0d Validating the second received data : milestone, 2021-11-23, 0d DIVD sent out a second batch of notifications : milestone, 2021-11-24, 0d DIVD has released an NMAP script to test for this vulnerability on its GitHub : milestone, 2021-11-27, 0d With two rounds of notifications sent out, and a change making it no longer possible to reliably verify if systems are still vulnerable we’ve exhausted our means to notify for this case. : milestone, 2021-12-29, 0d

More information