Skip to the content.

DIVD-2021-00030 - GitLab Unauthenticated RCE Flaw

Our reference DIVD-2021-00030
Case lead Victor Gevers
Author Jeroen van de Weerd
Researcher(s)
CVE(s)
Product GitLab Community Edition (CE) and Enterprise Edition (EE)
Versions all versions starting from 11.9
Recommendation Upgrade to 13.8.8, 13.9.6, and 13.10.3
Patch status Full patched
Status Open

Summary

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

What you can do

If you run GitLab CE/EE version starting from 11.9, upgrade to the latest version as soon as possible.

What we are doing

We are processing the list of vulnerable gitlab servers. We have sent the first notifications by email.

Timeline

Date Description
14 Apr 2021 {CVE-2021-22205} Reported by the Gitlab team.
29 Okt 2021 POC released on Gitlab
09 Nov 2021 DIVD got a list of vulnerable gitlab servers, from security researchers at Censys
11 Nov 2021 First version of this case file
13 Nov 2021 Validating the received data
15 Nov 2021 First notifications sent out
27 Nov 2021 DIVD has released an NMAP script to test for this vulnerability on its GitHub

More information