CVE-2021-22205
📋 TL;DR
CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper validation of image files passed to ExifTool allows attackers to execute arbitrary commands on the server. This affects all GitLab instances from version 11.9 onward. Attackers can exploit this without authentication to gain full control of affected systems.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands as the GitLab user, steal source code, deploy backdoors, pivot to internal networks, and potentially gain root access through privilege escalation.
Likely Case
Unauthenticated attackers executing arbitrary commands to steal sensitive data, deploy cryptocurrency miners, or establish persistence in the environment.
If Mitigated
Limited impact with proper network segmentation, but still potential for data exfiltration from the GitLab server itself.
🎯 Exploit Status
Multiple public exploits exist, including automated tools. Exploitation requires only the ability to upload a malicious image file to GitLab.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.10.3, 13.9.6, 13.8.8
Vendor Advisory: https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 13.10.3, 13.9.6, or 13.8.8 depending on your current version. 3. Restart GitLab services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable image uploads
allTemporarily disable all image upload functionality in GitLab to prevent exploitation
Edit GitLab configuration to remove image upload capabilities
Network segmentation
allRestrict GitLab instance access to trusted networks only
Configure firewall rules to limit GitLab access
🧯 If You Can't Patch
- Immediately restrict GitLab access to trusted IP addresses only using firewall rules
- Disable all image upload functionality and monitor for any exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check GitLab version: if running version 11.9 through 13.10.2, you are vulnerableCheck Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Verify GitLab version is 13.10.3, 13.9.6, or 13.8.8 or later📡 Detection & Monitoring
Log Indicators:
- Unusual image uploads with suspicious filenames
- Commands executed via ExifTool parsing
- Error logs showing failed image processing
Network Indicators:
- Unusual outbound connections from GitLab server
- Traffic to known malicious IPs or domains
SIEM Query:
source="gitlab" AND ("ExifTool" OR "image processing" OR "upload") AND (error OR failed OR suspicious)🔗 References
- http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html
- http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
- https://gitlab.com/gitlab-org/gitlab/-/issues/327121
- https://hackerone.com/reports/1154542
- http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html
- http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
- https://gitlab.com/gitlab-org/gitlab/-/issues/327121
- https://hackerone.com/reports/1154542
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22205
