vendor:
GitLab
by:
Jacob Baines
8.8
CVSS
HIGH
Remote Code Execution (RCE)
78
CWE
Product Name: GitLab
Affected Version From: GitLab Community Edition and Enterprise Edition before 13.10.3, 13.9.6, and 13.8.8
Affected Version To: GitLab Community Edition 13.10.2 and 13.10.1 (Ubuntu)
Patch Exists: YES
Related CWE: CVE-2021-22205
CPE: a:gitlab:gitlab
Tags: kev,hackerone,cve,cve2021,gitlab,rce
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Nuclei References:
https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator, https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196, https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json, https://censys.io/blog/cve-2021-22205-it-was-a-gitlab-smash/, https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/, https://hackerone.com/reports/1154542, https://nvd.nist.gov/vuln/detail/CVE-2021-22205
Nuclei Metadata: {'max-request': 1, 'shodan-query': 'http.title:"GitLab"', 'vendor': 'gitlab', 'product': 'gitlab'}
Platforms Tested: Ubuntu
2021
GitLab 13.10.2 – Remote Code Execution (RCE) (Unauthenticated)
Code execution is the result of GitLab allowing remote unauthenticated attackers to provide DjVu files to ExifTool (see: CVE-2021-22204). As such, exploitation of GitLab takes two steps. First generating the payload and then sending it. Generating the payload involves creating a DjVu image named lol.jpg that will trigger a reverse shell to 10.0.0.3 port 1270. Sending the payload involves using curl to send the payload to the GitLab instance.
Mitigation:
GitLab Community Edition and Enterprise Edition should be updated to 13.10.3, 13.9.6, and 13.8.8 respectively.
