silversurfer

Level 78
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
6,728
A now-patched critical remote code execution (RCE) vulnerability in GitLab's web interface has been detected as actively exploited in the wild, cybersecurity researchers warn, rendering a large number of internet-facing GitLab instances susceptible to attacks.

Tracked as CVE-2021-22205, the issue relates to an improper validation of user-provided images that results in arbitrary code execution. The vulnerability, which affects all versions starting from 11.9, has since been addressed by GitLab on April 14, 2021 in versions 13.8.8, 13.9.6, and 13.10.3.

In one of the real-world attacks detailed by HN Security last month, two user accounts with admin privileges were registered on a publicly-accessible GitLab server belonging to an unnamed customer by exploiting the aforementioned flaw to upload a malicious payload that leads to remote execution of arbitrary commands, including obtaining elevated permissions.
Although the flaw was initially deemed to be a case of authenticated RCE and assigned a CVSS score of 9.9, the severity rating was revised to 10.0 on September 21, 2021 owing to the fact that it can be triggered by unauthenticated threat actors as well.

"Despite the tiny move in CVSS score, a change from authenticated to unauthenticated has big implications for defenders," cybersecurity firm Rapid7 said in an alert published Monday.

Despite the public availability of the patches for more than six months, of the 60,000 internet-facing GitLab installations, only 21% of the instances are said to be fully patched against the issue, with another 50% still vulnerable to RCE attacks.
 

LASER_oneXM

Level 37
Verified
Top poster
Well-known
Feb 4, 2016
2,557
A critical unauthenticated, remote code execution GitLab flaw fixed on April 14, 2021, remains exploitable, with over 50% of deployments remaining unpatched.
The vulnerability is tracked as CVE-2021-22205 and has a CVSS v3 score of 10.0, allowing an unauthenticated, remote attacker to execute arbitrary commands as the 'git' user (repository admin).

This vulnerability gives the remote attacker full access to the repository, including deleting, modifying, and stealing source code.

Exploitation in the wild​

Hackers first started exploiting internet-facing GitLab servers in June 2021 to create new users and give them admin rights.
The actors used a working exploit published on GitHub on June 4, 2021, allowing them to abuse the vulnerable ExifTool component.
 
Top