CVE-2021-22205

high-risk
Published 2021-04-23

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

Do I need to act?

!
94.5% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
!
1 public exploit available
50532
+
Fix available
Upgrade to: 5760c3c5919f911376a44fe16d674af2af898914, 5760c3c5919f911376a44fe16d674af2af898914, fa395d88d5232209aec5fd8010b5d9ee5f9f7dfe, fa395d88d5232209aec5fd8010b5d9ee5f9f7dfe, db2e358dba43b6ad3a35fde5b1e21a3635b1a19d, db2e358dba43b6ad3a35fde5b1e21a3635b1a19d
10
CVSS 10.0/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Gitlab

References (11)

Exploit http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTo...
Exploit http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution...
Vendor Advisory https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
Broken Link https://gitlab.com/gitlab-org/gitlab/-/issues/327121
Permissions Required https://hackerone.com/reports/1154542
Exploit http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTo...
Exploit http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution...
Vendor Advisory https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
Broken Link https://gitlab.com/gitlab-org/gitlab/-/issues/327121
Permissions Required https://hackerone.com/reports/1154542
US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-...
67
/ 100
high-risk
Severity 33/34 · Critical
Exploitability 27/34 · High
Exposure 7/34 · Low