CVE-2021-22205 — GitLab Community and Enterprise Editions Remote Code Execution Vulnerability

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

How to fix CVE-2021-22205

To remediate CVE-2021-22205, upgrade the affected package to a fixed version below.

—upgrade to 13.8.8 or later

Is CVE-2021-22205 being exploited?

Yes — CVE-2021-22205 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (1)

>= 11.9.0, < 13.8.8, >= 13.9.0, < 13.9.6, >= 13.10.0, < 13.10.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL10.0	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (7)

WEBpacketstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html
WEBpacketstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html
WEBgitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
WEBgitlab.com/gitlab-org/gitlab/-/issues/327121