CVE-2021-22171
📋 TL;DR
This vulnerability in GitLab Pages allows attackers to steal API tokens through insufficient authentication parameter validation. Attackers can craft malicious links that, when clicked by authenticated users, expose their API tokens. Affects GitLab 11.5+ with GitLab Pages enabled.
💻 Affected Systems
- GitLab
- GitLab Pages
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, unauthorized access to private repositories, data exfiltration, and lateral movement within GitLab infrastructure.
Likely Case
API token theft leading to unauthorized repository access, code modification, and potential data leakage.
If Mitigated
Limited impact with proper network segmentation, API token rotation policies, and user awareness training.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) but is straightforward once the link is crafted. Public exploit details available in HackerOne report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: GitLab 13.9.4, 13.10.3, 13.11.1 and later
Vendor Advisory: https://about.gitlab.com/releases/2021/03/04/security-release-gitlab-13-9-4-released/
Restart Required: Yes
Instructions:
1. Backup GitLab instance. 2. Update GitLab to patched version using official upgrade instructions. 3. Restart GitLab services. 4. Verify patch application.
🔧 Temporary Workarounds
Disable GitLab Pages
linuxTemporarily disable GitLab Pages feature if not required
gitlab_rails['pages_enabled'] = false
sudo gitlab-ctl reconfigure
Restrict Pages Access
linuxConfigure GitLab Pages to only serve content to authenticated users
gitlab_rails['pages_access_control'] = true
sudo gitlab-ctl reconfigure
🧯 If You Can't Patch
- Implement strict network controls to limit GitLab Pages exposure to trusted networks only
- Enforce mandatory API token rotation policies and user security awareness training about phishing risks
🔍 How to Verify
Check if Vulnerable:
Check GitLab version: if between 11.5-13.9.3, 13.10.0-13.10.2, or 13.11.0, and GitLab Pages is enabled, system is vulnerable.Check Version:
sudo gitlab-rake gitlab:env:info | grep 'Version:'Verify Fix Applied:
Verify GitLab version is 13.9.4+, 13.10.3+, or 13.11.1+ and test that malicious link patterns no longer expose tokens.📡 Detection & Monitoring
Log Indicators:
- Unusual API token usage patterns
- Multiple failed authentication attempts followed by successful token-based access
- GitLab Pages access logs showing suspicious referrer headers
Network Indicators:
- Outbound connections from GitLab server to unexpected external IPs using API tokens
- Unusual traffic patterns to GitLab Pages endpoints
SIEM Query:
source="gitlab" AND (event="api_token_created" OR event="pages_access") AND user_agent CONTAINS "malicious" OR referrer CONTAINS "suspicious_domain"🔗 References
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22171.json
- https://gitlab.com/gitlab-org/gitlab-pages/-/issues/262
- https://hackerone.com/reports/718460
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22171.json
- https://gitlab.com/gitlab-org/gitlab-pages/-/issues/262
- https://hackerone.com/reports/718460
