{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-060.pdf"
    },
    "title": "Critical Vulnerabilities in GitLab",
    "serial_number": "2021-060",
    "publish_date": "03-11-2021 16:23:00",
    "description": "On April 14, 2021, GitLab published a security release to address CVE-2021-22205, a critical remote code execution vulnerability in the service\u2019s web interface. In the meantime, it was proven that the vulnerability can be exploited unauthenticated. Moreover, recently it was announced that at least 50% of the 60,000 internet-facing GitLab installations are not patched against this critical RCE flaw.",
    "url_title": "2021-060",
    "content_markdown": "---\ntitle: 'Critical Vulnerabilities in\u00a0GitLab'\nversion: '1.0'\nnumber: '2021-060'\ndate: 'November 3, 2021'\n---\n\n_History:_\n\n* _03/11/2021 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn April 14, 2021, GitLab published a security release to address CVE-2021-22205 [1], a critical remote code execution vulnerability in the service\u2019s web interface. In the meantime, it was proven that the vulnerability can be exploited unauthenticated. Moreover, recently it was announced that at least 50% of the 60,000 internet-facing GitLab installations are not patched against this critical RCE flaw [2].\n\n# Technical Details\n\nCVE-2021-22205 [3] was initially assigned a CVSSv3 score of 9.9. However, on September 21, 2021 GitLab revised the CVSSv3 score to 10.0. The increase in score was the result of changing the vulnerability from requiring an authenticated user to an unauthenticated one.\n\nInitially GitLab described the issue as an authenticated vulnerability that was the result of passing user-provided images to the service\u2019s embedded version of ExifTool. A remote attacker would execute arbitrary commands as the git user due to ExifTool\u2019s mishandling of DjVu files, an issue that was later assigned CVE-2021-22204. Unauthenticated and remote users are able to reach execution of ExifTool via GitLab by design. A curl command is sufficient to reach, and exploit, ExifTool [4].\n\n# Affected Products\n\nThis vulnerability affects versions 7.12 and later [1] except patched versions mentioned below.\n\n# Recommendations\n\nUpgrade to patched versions:\n\n- 13.10.3\n- 13.9.6\n- 13.8.8\n\nCERT-EU recommends updating the vulnerable application as soon as possible. It also recommended to search for potential compromise that might have beend executed while server was unpatched. Plese reffer to [4] to see how can determined if your instance was affected.\n\n\n## Workarounds and Mitigations\n\nTo mitigate the vulnerability GitLab should not be exposed to Internet. If it still needs to be accessed remotely a VPN might be considered. For more details regarding Exposure and Mitigation Guidance please see [4].\n\n# References\n\n[1] <https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/>\n\n[2] <https://www.rapid7.com/blog/post/2021/11/01/gitlab-unauthenticated-remote-code-execution-cve-2021-22205-exploited-in-the-wild/>\n\n[3] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22205>\n\n[4] <https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=blog>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>03/11/2021 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On April 14, 2021, GitLab published a security release to address CVE-2021-22205 [1], a critical remote code execution vulnerability in the service\u2019s web interface. In the meantime, it was proven that the vulnerability can be exploited unauthenticated. Moreover, recently it was announced that at least 50% of the 60,000 internet-facing GitLab installations are not patched against this critical RCE flaw [2].</p><h2 id=\"technical-details\">Technical Details</h2><p>CVE-2021-22205 [3] was initially assigned a CVSSv3 score of 9.9. However, on September 21, 2021 GitLab revised the CVSSv3 score to 10.0. The increase in score was the result of changing the vulnerability from requiring an authenticated user to an unauthenticated one.</p><p>Initially GitLab described the issue as an authenticated vulnerability that was the result of passing user-provided images to the service\u2019s embedded version of ExifTool. A remote attacker would execute arbitrary commands as the git user due to ExifTool\u2019s mishandling of DjVu files, an issue that was later assigned CVE-2021-22204. Unauthenticated and remote users are able to reach execution of ExifTool via GitLab by design. A curl command is sufficient to reach, and exploit, ExifTool [4].</p><h2 id=\"affected-products\">Affected Products</h2><p>This vulnerability affects versions 7.12 and later [1] except patched versions mentioned below.</p><h2 id=\"recommendations\">Recommendations</h2><p>Upgrade to patched versions:</p><ul><li>13.10.3</li><li>13.9.6</li><li>13.8.8</li></ul><p>CERT-EU recommends updating the vulnerable application as soon as possible. It also recommended to search for potential compromise that might have beend executed while server was unpatched. Plese reffer to [4] to see how can determined if your instance was affected.</p><h3 id=\"workarounds-and-mitigations\">Workarounds and Mitigations</h3><p>To mitigate the vulnerability GitLab should not be exposed to Internet. If it still needs to be accessed remotely a VPN might be considered. For more details regarding Exposure and Mitigation Guidance please see [4].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/\">https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.rapid7.com/blog/post/2021/11/01/gitlab-unauthenticated-remote-code-execution-cve-2021-22205-exploited-in-the-wild/\">https://www.rapid7.com/blog/post/2021/11/01/gitlab-unauthenticated-remote-code-execution-cve-2021-22205-exploited-in-the-wild/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22205\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22205</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=blog\">https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=blog</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}