| Reporter | Title | Published | Views | Family All 80 |
|---|---|---|---|---|
| Exploit for Code Injection in Gitlab | 5 Jun 202115:42 | – | githubexploit | |
| Exploit for Code Injection in Gitlab | 30 Oct 202111:54 | – | githubexploit | |
| Exploit for Code Injection in Gitlab | 29 Oct 202104:15 | – | githubexploit | |
| Exploit for Code Injection in Gitlab | 9 Nov 202118:19 | – | githubexploit | |
| Exploit for Code Injection in Gitlab | 1 Nov 202315:19 | – | githubexploit | |
| Exploit for Code Injection in Gitlab | 4 Nov 202109:01 | – | githubexploit | |
| Exploit for Code Injection in Gitlab | 28 Oct 202106:29 | – | githubexploit | |
| Exploit for Code Injection in Gitlab | 29 Oct 202104:15 | – | githubexploit | |
| Exploit for Code Injection in Gitlab | 19 Nov 202509:50 | – | githubexploit | |
| Exploit for Code Injection in Gitlab | 1 Nov 202106:06 | – | githubexploit |
id: CVE-2021-22205
info:
name: GitLab CE/EE - Remote Code Execution
author: GitLab Red Team
severity: critical
description: GitLab CE/EE starting from 11.9 does not properly validate image files that were passed to a file parser, resulting in a remote command execution vulnerability. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected GitLab instance.
remediation: |
Upgrade to GitLab CE/EE version 13.10.3 or 13.11.1 to mitigate this vulnerability.
reference:
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
- https://censys.io/blog/cve-2021-22205-it-was-a-gitlab-smash/
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
- https://hackerone.com/reports/1154542
- https://nvd.nist.gov/vuln/detail/CVE-2021-22205
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-22205
cwe-id: CWE-94
epss-score: 0.99731
epss-percentile: 0.99952
cpe: cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
metadata:
max-request: 1
vendor: gitlab
product: gitlab
shodan-query:
- http.title:"GitLab"
- cpe:"cpe:2.3:a:gitlab:gitlab"
- http.title:"gitlab"
fofa-query: title="gitlab"
google-query: intitle:"gitlab"
tags: cve2021,cve,kev,hackerone,gitlab,rce,vkev,vuln
http:
- method: GET
path:
- "{{BaseURL}}/users/sign_in"
host-redirects: true
max-redirects: 3
matchers:
- type: word
words:
- "015d088713b23c749d8be0118caeb21039491d9812c75c913f48d53559ab09df"
- "02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b"
- "051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce"
- "08858ced0ff83694fb12cf155f6d6bf450dcaae7192ea3de8383966993724290"
- "0993beabc8d2bb9e3b8d12d24989426b909921e20e9c6a704de7a5f1dfa93c59"
- "0a5b4edebfcb0a7be64edc06af410a6fbc6e3a65b76592a9f2bcc9afea7eb753"
- "1084266bd81c697b5268b47c76565aa86b821126a6b9fe6ea7b50f64971fc96f"
- "14c313ae08665f7ac748daef8a70010d2ea9b52fd0cae594ffa1ffa5d19c43f4"
- "1626b2999241b5a658bddd1446648ed0b9cc289de4cc6e10f60b39681a0683c4"
- "20f01320ba570c73e01af1a2ceb42987bcb7ac213cc585c187bec2370cf72eb6"
- "27d2c4c4e2fcf6e589e3e1fe85723537333b087003aa4c1d2abcf74d5c899959"
- "292ca64c0c109481b0855aea6b883a588bd293c6807e9493fc3af5a16f37f369"
- "2eaf7e76aa55726cc0419f604e58ee73c5578c02c9e21fdbe7ae887925ea92ae"
- "30a9dffe86b597151eff49443097496f0d1014bb6695a2f69a7c97dc1c27828f"
- "318ee33e5d14035b04832fa07c492cdf57788adda50bb5219ef75b735cbf00e2"
- "33313f1ff2602ef43d945e57e694e747eb00344455ddb9b2544491a3af2696a1"
- "335f8ed58266e502d415f231f6675a32bb35cafcbaa279baa2c0400d4a9872ac"
- "34031b465d912c7d03e815c7cfaff77a3fa7a9c84671bb663026d36b1acd3f86"
- "3407a4fd892e9d5024f3096605eb1e25cad75a8bf847d26740a1e6a77e45b087"
- "340c31a75c5150c5e501ec143849adbed26fed0da5a5ee8c60fb928009ea3b86"
- "38981e26a24308976f3a29d6e5e2beef57c7acda3ad0d5e7f6f149d58fd09d3d"
- "3963d28a20085f0725884e2dbf9b5c62300718aa9c6b4b696c842a3f4cf75fcd"
- "39b154eeefef684cb6d56db45d315f8e9bf1b2cc86cf24d8131c674521f5b514"
- "39fdbd63424a09b5b065a6cc60c9267d3f49950bf1f1a7fd276fe1ece4a35c09"
- "3b51a43178df8b4db108a20e93a428a889c20a9ed5f41067d1a2e8224740838e"
- "3cbf1ae156fa85f16d4ca01321e0965db8cfb9239404aaf52c3cebfc5b4493fb"
- "40d8ac21e0e120f517fbc9a798ecb5caeef5182e01b7e7997aac30213ef367b3"
- "4448d19024d3be03b5ba550b5b02d27f41c4bdba4db950f6f0e7136d820cd9e1"
- "450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54"
- "455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8"
- "4568941e60dbfda3472e3f745cd4287172d4e6cce44bed85390af9e4e2112d0b"
- "45b2cf643afd34888294a073bf55717ea00860d6a1dca3d301ded1d0040cac44"
- "473ef436c59830298a2424616d002865f17bb5a6e0334d3627affa352a4fc117"
- "4990bb27037f3d5f1bffc0625162173ad8043166a1ae5c8505aabe6384935ce2"
- "4a081f9e3a60a0e580cad484d66fbf5a1505ad313280e96728729069f87f856e"
- "4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160"
- "504940239aafa3b3a7b49e592e06a0956ecaab8dbd4a5ea3a8ffd920b85d42eb"
- "52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c"
- "530a8dd34c18ca91a31fbae2f41d4e66e253db0343681b3c9640766bf70d8edf"
- "5440e2dd89d3c803295cc924699c93eb762e75d42178eb3fe8b42a5093075c71"
- "62e4cc014d9d96f9cbf443186289ffd9c41bdfe951565324891dcf38bcca5a51"
- "64e10bc92a379103a268a90a7863903eacb56843d8990fff8410f9f109c3b87a"
- "655ad8aea57bdaaad10ff208c7f7aa88c9af89a834c0041ffc18c928cc3eab1f"
- "67ac5da9c95d82e894c9efe975335f9e8bdae64967f33652cd9a97b5449216d2"
- "69a1b8e44ba8b277e3c93911be41b0f588ac7275b91a184c6a3f448550ca28ca"
- "6ae610d783ba9a520b82263f49d2907a52090fecb3ac37819cea12b67e6d94fb"
- "70ce56efa7e602d4b127087b0eca064681ecdd49b57d86665da8b081da39408b"
- "7310c45f08c5414036292b0c4026f281a73cf8a01af82a81257dd343f378bbb5"
- "73a21594461cbc9a2fb00fc6f94aec1a33ccf435a7d008d764ddd0482e08fc8d"
- "77566acc818458515231d0a82c131a42890d771ea998b9f578dc38e0eb7e517f"
- "78812856e55613c6803ecb31cc1864b7555bf7f0126d1dfa6f37376d37d3aeab"
- "79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9"
- "7b1dcbacca4f585e2cb98f0d48f008acfec617e473ba4fd88de36b946570b8b9"
- "7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5"
- "81c5f2c7b2c0b0abaeb59585f36904031c21b1702c24349404df52834fbd7ad3"
- "83dc10f687305b22e602ba806619628a90bd4d89be7c626176a0efec173ecff1"
- "93ebf32a4bd988b808c2329308847edd77e752b38becc995970079a6d586c39b"
- "969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e"
- "9b4e140fad97320405244676f1a329679808e02c854077f73422bd8b7797476b"
- "9c095c833db4364caae1659f4e4dcb78da3b5ec5e9a507154832126b0fe0f08e"
- "a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528"
- "a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9"
- "ac9b38e86b6c87bf8db038ae23da3a5f17a6c391b3a54ad1e727136141a7d4f5"
- "ae0edd232df6f579e19ea52115d35977f8bdbfa9958e0aef2221d62f3a39e7d8"
- "aeddf31361633b3d1196c6483f25c484855e0f243e7f7e62686a4de9e10ec03b"
- "b50bfeb87fe7bb245b31a0423ccfd866ca974bc5943e568ce47efb4cd221d711"
- "b64a1277a08c2901915525143cd0b62d81a37de0a64ec135800f519cb0836445"
- "bb1565ffd7c937bea412482ed9136c6057be50356f1f901379586989b4dfe2ca"
- "be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a"
- "bec9544b57b8b2b515e855779735ad31c3eacf65d615b4bfbd574549735111e7"
- "bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4"
- "bf1c397958ee5114e8f1dadc98fa9c9d7ddb031a4c3c030fa00c315384456218"
- "c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4"
- "c923fa3e71e104d50615978c1ab9fcfccfcbada9e8df638fc27bf4d4eb72d78c"
- "d0850f616c5b4f09a7ff319701bce0460ffc17ca0349ad2cf7808b868688cf71"
- "d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb"
- "d56f0577fbbbd6f159e9be00b274270cb25b60a7809871a6a572783b533f5a3c"
- "d812b9bf6957fafe35951054b9efc5be6b10c204c127aa5a048506218c34e40f"
- "dc6b3e9c0fad345e7c45a569f4c34c3e94730c33743ae8ca055aa6669ad6ac56"
- "def1880ada798c68ee010ba2193f53a2c65a8981871a634ae7e18ccdcd503fa3"
- "e2578590390a9eb10cd65d130e36503fccb40b3921c65c160bb06943b2e3751a"
- "e4b6f040fe2e04c86ed1f969fc72710a844fe30c3501b868cb519d98d1fe3fd0"
- "eb078ffe61726e3898dc9d01ea7955809778bde5be3677d907cbd3b48854e687"
- "ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d"
- "ed4780bb05c30e3c145419d06ad0ab3f48bd3004a90fb99601f40c5b6e1d90fd"
- "ef53a4f4523a4a0499fb892d9fb5ddb89318538fef33a74ce0bf54d25777ea83"
- "f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812"
- "f7d1309f3caef67cb63bd114c85e73b323a97d145ceca7d6ef3c1c010078c649"
- "f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11"
condition: or
extractors:
- type: regex
group: 1
regex:
- '(?:application-)(\S{64})(?:\.css)'
# digest: 4a0a00473045022100b1820b32e6c893ec10f7cc45c15dfa88e6df0bd4026a71a7ad6db7ce4bcea068022009063521f171c0c5f412f3737429e6878f7d8aa857ae1d72f01d3b2894ee05c5:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation