Login Sign Up

CVE-2021-22241

8.7 HIGH
Cross-Site Scripting

📋 TL;DR

This vulnerability allows attackers to execute stored cross-site scripting (XSS) attacks by creating a malicious default branch name in GitLab. All GitLab CE/EE instances starting from version 14.0 are affected. Attackers can inject malicious scripts that execute when users view or interact with the compromised branch.

💻 Affected Systems

Products:
  • GitLab Community Edition
  • GitLab Enterprise Edition
Versions: All versions starting from 14.0
Operating Systems: All platforms running GitLab
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments with default branch creation functionality are vulnerable. No special configuration required.

📦 What is this software?

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts through client-side attacks.

🟠

Likely Case

Attackers inject malicious JavaScript to steal session tokens or credentials from users who view the malicious branch name, potentially leading to account takeover.

🟢

If Mitigated

With proper input validation and output encoding, the malicious payload would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH - GitLab instances exposed to the internet are directly accessible to attackers who can exploit this without authentication.
🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to insider threats or compromised internal accounts, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to create branches. Public proof-of-concept demonstrates the XSS injection technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: GitLab 14.1.7, 14.2.5, and 14.3.1

Vendor Advisory: https://about.gitlab.com/releases/2021/09/30/security-release-gitlab-14-3-1-released/

Restart Required: Yes

Instructions:

1. Backup your GitLab instance. 2. Update to GitLab 14.1.7, 14.2.5, or 14.3.1 or later. 3. Restart GitLab services. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable branch creation for untrusted users

all

Restrict branch creation permissions to trusted users only to reduce attack surface.

Implement WAF rules

all

Configure web application firewall to block XSS payloads in branch names.

🧯 If You Can't Patch

  • Implement strict input validation to sanitize branch names before processing
  • Monitor for suspicious branch creation activities and review branch names regularly

🔍 How to Verify

Check if Vulnerable:

Check GitLab version: if running 14.0 through 14.3.0, you are vulnerable. Test by attempting to create a branch with XSS payload (e.g., <script>alert('test')</script>) and observing if it executes.

Check Version:

sudo gitlab-rake gitlab:env:info | grep 'GitLab version'

Verify Fix Applied:

After patching, attempt the same XSS payload test - the script should be properly escaped and not execute. Verify version is 14.1.7, 14.2.5, 14.3.1 or later.

📡 Detection & Monitoring

Log Indicators:

  • Unusual branch creation events
  • Branch names containing script tags or JavaScript code
  • Multiple failed branch creation attempts with special characters

Network Indicators:

  • HTTP requests with malicious payloads in branch name parameters
  • Unusual traffic patterns to branch creation endpoints

SIEM Query:

source="gitlab.log" AND ("POST /api/v4/projects/*/repository/branches" OR "branch creation") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2021-22241
CVSS v3 Score: 8.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-79
Published: August 5, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22241, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)