2021-10-27 12:31:04 +00:00
id : CVE-2021-22205
info :
2022-05-09 16:12:52 +00:00
name : GitLab CE/EE - Remote Code Execution
2022-01-20 08:55:57 +00:00
author : GitLab Red Team
2021-10-27 12:31:04 +00:00
severity : critical
2022-05-09 16:12:52 +00:00
description : GitLab CE/EE starting from 11.9 does not properly validate image files that were passed to a file parser, resulting in a remote command execution vulnerability. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected GitLab instance.
2023-09-06 12:09:01 +00:00
remediation : |
Upgrade to GitLab CE/EE version 13.10.3 or 13.11.1 to mitigate this vulnerability.
2021-10-27 12:31:04 +00:00
reference :
2022-01-20 08:55:57 +00:00
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
- https://censys.io/blog/cve-2021-22205-it-was-a-gitlab-smash/
2021-10-27 12:31:04 +00:00
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
- https://hackerone.com/reports/1154542
- https://nvd.nist.gov/vuln/detail/CVE-2021-22205
classification :
2022-05-17 09:18:12 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score : 10
2021-10-27 12:31:04 +00:00
cve-id : CVE-2021-22205
2023-07-11 19:49:27 +00:00
cwe-id : CWE-94
2024-04-08 11:34:33 +00:00
epss-score : 0.97333
epss-percentile : 0.99868
2023-09-06 12:09:01 +00:00
cpe : cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
2022-04-22 10:38:41 +00:00
metadata :
2023-04-28 08:11:21 +00:00
max-request : 1
2023-07-11 19:49:27 +00:00
vendor : gitlab
product : gitlab
2023-09-06 12:09:01 +00:00
shodan-query : http.title:"GitLab"
2024-05-31 19:23:20 +00:00
fofa-query : title="gitlab"
google-query : intitle:"gitlab"
2024-01-14 09:21:50 +00:00
tags : cve2021,cve,kev,hackerone,gitlab,rce
2021-10-27 12:31:04 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-01-20 08:55:57 +00:00
- method : GET
path :
- "{{BaseURL}}/users/sign_in"
2021-10-27 12:31:04 +00:00
2022-10-07 21:27:25 +00:00
host-redirects : true
2022-01-20 08:55:57 +00:00
max-redirects : 3
2021-10-27 12:31:04 +00:00
matchers :
- type : word
words :
2022-01-20 08:55:57 +00:00
- "015d088713b23c749d8be0118caeb21039491d9812c75c913f48d53559ab09df"
- "02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b"
- "051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce"
- "08858ced0ff83694fb12cf155f6d6bf450dcaae7192ea3de8383966993724290"
- "0993beabc8d2bb9e3b8d12d24989426b909921e20e9c6a704de7a5f1dfa93c59"
- "0a5b4edebfcb0a7be64edc06af410a6fbc6e3a65b76592a9f2bcc9afea7eb753"
- "1084266bd81c697b5268b47c76565aa86b821126a6b9fe6ea7b50f64971fc96f"
- "14c313ae08665f7ac748daef8a70010d2ea9b52fd0cae594ffa1ffa5d19c43f4"
- "1626b2999241b5a658bddd1446648ed0b9cc289de4cc6e10f60b39681a0683c4"
- "20f01320ba570c73e01af1a2ceb42987bcb7ac213cc585c187bec2370cf72eb6"
- "27d2c4c4e2fcf6e589e3e1fe85723537333b087003aa4c1d2abcf74d5c899959"
- "292ca64c0c109481b0855aea6b883a588bd293c6807e9493fc3af5a16f37f369"
- "2eaf7e76aa55726cc0419f604e58ee73c5578c02c9e21fdbe7ae887925ea92ae"
- "30a9dffe86b597151eff49443097496f0d1014bb6695a2f69a7c97dc1c27828f"
- "318ee33e5d14035b04832fa07c492cdf57788adda50bb5219ef75b735cbf00e2"
- "33313f1ff2602ef43d945e57e694e747eb00344455ddb9b2544491a3af2696a1"
- "335f8ed58266e502d415f231f6675a32bb35cafcbaa279baa2c0400d4a9872ac"
- "34031b465d912c7d03e815c7cfaff77a3fa7a9c84671bb663026d36b1acd3f86"
- "3407a4fd892e9d5024f3096605eb1e25cad75a8bf847d26740a1e6a77e45b087"
- "340c31a75c5150c5e501ec143849adbed26fed0da5a5ee8c60fb928009ea3b86"
- "38981e26a24308976f3a29d6e5e2beef57c7acda3ad0d5e7f6f149d58fd09d3d"
- "3963d28a20085f0725884e2dbf9b5c62300718aa9c6b4b696c842a3f4cf75fcd"
- "39b154eeefef684cb6d56db45d315f8e9bf1b2cc86cf24d8131c674521f5b514"
- "39fdbd63424a09b5b065a6cc60c9267d3f49950bf1f1a7fd276fe1ece4a35c09"
- "3b51a43178df8b4db108a20e93a428a889c20a9ed5f41067d1a2e8224740838e"
- "3cbf1ae156fa85f16d4ca01321e0965db8cfb9239404aaf52c3cebfc5b4493fb"
- "40d8ac21e0e120f517fbc9a798ecb5caeef5182e01b7e7997aac30213ef367b3"
- "4448d19024d3be03b5ba550b5b02d27f41c4bdba4db950f6f0e7136d820cd9e1"
- "450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54"
- "455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8"
- "4568941e60dbfda3472e3f745cd4287172d4e6cce44bed85390af9e4e2112d0b"
- "45b2cf643afd34888294a073bf55717ea00860d6a1dca3d301ded1d0040cac44"
- "473ef436c59830298a2424616d002865f17bb5a6e0334d3627affa352a4fc117"
- "4990bb27037f3d5f1bffc0625162173ad8043166a1ae5c8505aabe6384935ce2"
- "4a081f9e3a60a0e580cad484d66fbf5a1505ad313280e96728729069f87f856e"
- "4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160"
- "504940239aafa3b3a7b49e592e06a0956ecaab8dbd4a5ea3a8ffd920b85d42eb"
- "52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c"
- "530a8dd34c18ca91a31fbae2f41d4e66e253db0343681b3c9640766bf70d8edf"
- "5440e2dd89d3c803295cc924699c93eb762e75d42178eb3fe8b42a5093075c71"
- "62e4cc014d9d96f9cbf443186289ffd9c41bdfe951565324891dcf38bcca5a51"
- "64e10bc92a379103a268a90a7863903eacb56843d8990fff8410f9f109c3b87a"
- "655ad8aea57bdaaad10ff208c7f7aa88c9af89a834c0041ffc18c928cc3eab1f"
- "67ac5da9c95d82e894c9efe975335f9e8bdae64967f33652cd9a97b5449216d2"
- "69a1b8e44ba8b277e3c93911be41b0f588ac7275b91a184c6a3f448550ca28ca"
- "6ae610d783ba9a520b82263f49d2907a52090fecb3ac37819cea12b67e6d94fb"
- "70ce56efa7e602d4b127087b0eca064681ecdd49b57d86665da8b081da39408b"
- "7310c45f08c5414036292b0c4026f281a73cf8a01af82a81257dd343f378bbb5"
- "73a21594461cbc9a2fb00fc6f94aec1a33ccf435a7d008d764ddd0482e08fc8d"
- "77566acc818458515231d0a82c131a42890d771ea998b9f578dc38e0eb7e517f"
- "78812856e55613c6803ecb31cc1864b7555bf7f0126d1dfa6f37376d37d3aeab"
- "79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9"
- "7b1dcbacca4f585e2cb98f0d48f008acfec617e473ba4fd88de36b946570b8b9"
- "7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5"
- "81c5f2c7b2c0b0abaeb59585f36904031c21b1702c24349404df52834fbd7ad3"
- "83dc10f687305b22e602ba806619628a90bd4d89be7c626176a0efec173ecff1"
- "93ebf32a4bd988b808c2329308847edd77e752b38becc995970079a6d586c39b"
- "969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e"
- "9b4e140fad97320405244676f1a329679808e02c854077f73422bd8b7797476b"
- "9c095c833db4364caae1659f4e4dcb78da3b5ec5e9a507154832126b0fe0f08e"
- "a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528"
- "a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9"
- "ac9b38e86b6c87bf8db038ae23da3a5f17a6c391b3a54ad1e727136141a7d4f5"
- "ae0edd232df6f579e19ea52115d35977f8bdbfa9958e0aef2221d62f3a39e7d8"
- "aeddf31361633b3d1196c6483f25c484855e0f243e7f7e62686a4de9e10ec03b"
- "b50bfeb87fe7bb245b31a0423ccfd866ca974bc5943e568ce47efb4cd221d711"
- "b64a1277a08c2901915525143cd0b62d81a37de0a64ec135800f519cb0836445"
- "bb1565ffd7c937bea412482ed9136c6057be50356f1f901379586989b4dfe2ca"
- "be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a"
- "bec9544b57b8b2b515e855779735ad31c3eacf65d615b4bfbd574549735111e7"
- "bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4"
- "bf1c397958ee5114e8f1dadc98fa9c9d7ddb031a4c3c030fa00c315384456218"
- "c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4"
- "c923fa3e71e104d50615978c1ab9fcfccfcbada9e8df638fc27bf4d4eb72d78c"
- "d0850f616c5b4f09a7ff319701bce0460ffc17ca0349ad2cf7808b868688cf71"
- "d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb"
- "d56f0577fbbbd6f159e9be00b274270cb25b60a7809871a6a572783b533f5a3c"
- "d812b9bf6957fafe35951054b9efc5be6b10c204c127aa5a048506218c34e40f"
- "dc6b3e9c0fad345e7c45a569f4c34c3e94730c33743ae8ca055aa6669ad6ac56"
- "def1880ada798c68ee010ba2193f53a2c65a8981871a634ae7e18ccdcd503fa3"
- "e2578590390a9eb10cd65d130e36503fccb40b3921c65c160bb06943b2e3751a"
- "e4b6f040fe2e04c86ed1f969fc72710a844fe30c3501b868cb519d98d1fe3fd0"
- "eb078ffe61726e3898dc9d01ea7955809778bde5be3677d907cbd3b48854e687"
- "ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d"
- "ed4780bb05c30e3c145419d06ad0ab3f48bd3004a90fb99601f40c5b6e1d90fd"
- "ef53a4f4523a4a0499fb892d9fb5ddb89318538fef33a74ce0bf54d25777ea83"
- "f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812"
- "f7d1309f3caef67cb63bd114c85e73b323a97d145ceca7d6ef3c1c010078c649"
- "f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11"
condition : or
2021-10-27 12:31:04 +00:00
extractors :
- type : regex
group : 1
regex :
2022-05-09 16:12:52 +00:00
- '(?:application-)(\S{64})(?:\.css)'
2024-06-01 06:53:00 +00:00
# digest: 4a0a00473045022100abc381440f9275837d7e15eedee65a255ebe4897cdd81a9ec8bddc15e9fff97f02204d5198bbdca5253fecaf70b30ba2a9cb00162a44795ea0769c8d3c00f92c72fa:922c64590222798bb761d5b6d8e72950
