CVE-2021-22175

high-risk
Published 2021-06-11

When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled

Do I need to act?

!
66.2% chance of exploitation in next 30 days
EPSS score — higher than 34% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.8/10 Medium
NETWORK / HIGH complexity

Affected Products (2)

Affected Vendors

Gitlab

References (7)

Vendor Advisory https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22175.json
Exploit https://gitlab.com/gitlab-org/gitlab/-/issues/294178
Permissions Required https://hackerone.com/reports/1059596
Vendor Advisory https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22175.json
Exploit https://gitlab.com/gitlab-org/gitlab/-/issues/294178
Permissions Required https://hackerone.com/reports/1059596
US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-...
54
/ 100
high-risk
Severity 21/34 · High
Exploitability 26/34 · High
Exposure 7/34 · Low