Improper Input Validation Affecting gitlab package, versions <15.10.8+ds1-2
Threat Intelligence
Exploit Maturity
Mature
EPSS
97.32% (100th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIANUNSTABLE-GITLAB-1264522
- published 27 Apr 2021
- disclosed 23 Apr 2021
Introduced: 23 Apr 2021
CVE-2021-22205 Open this link in a new tabHow to fix?
Upgrade Debian:unstable gitlab to version 15.10.8+ds1-2 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream gitlab package and not the gitlab package as distributed by Debian.
See How to fix? for Debian:unstable relevant fixed versions and status.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
References
- https://security-tracker.debian.org/tracker/CVE-2021-22205
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
- https://gitlab.com/gitlab-org/gitlab/-/issues/327121
- https://hackerone.com/reports/1154542
- http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html
- http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html
- https://www.exploit-db.com/exploits/50532
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-22205.yaml
CVSS Scores
version 3.1