GitLab 11.9.x < 13.8.8 / 13.9.0 < 13.9.6 / 13.10.0 < 13.10.3 Remote Code Execution - Nessus
Critical Plugin ID: 159925This page contains detailed information about the GitLab 11.9.x < 13.8.8 / 13.9.0 < 13.9.6 / 13.10.0 < 13.10.3 Remote Code Execution Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 159925
Name: GitLab 11.9.x < 13.8.8 / 13.9.0 < 13.9.6 / 13.10.0 < 13.10.3 Remote Code Execution
Filename: gitlab_cve-2021-22205.nasl
Vulnerability Published: 2021-04-23
This Plugin Published: 2022-04-20
Last Modification Time: 2022-04-27
Plugin Version: 1.3
Plugin Type: remote
Plugin Family: CGI abuses
Dependencies:
gitlab_webui_detect.nbin
Required KB Items [?]: installed_sw/GitLab
Vulnerability Information
Severity: Critical
Vulnerability Published: 2021-04-23
Patch Published: 2021-04-23
CVE [?]: CVE-2021-22205
CPE [?]: cpe:/a:gitlab:gitlab
Exploited by Malware: True
Synopsis
A source control application running on the remote web server is affected by a remote code execution vulnerability.
Description
According to its self-reported version, the instance of GitLab running on the remote web server is 11.9.x prior to 13.8.7, 13.9.0 prior to 13.9.5, or 13.10.0 prior to 13.10.2. It is, therefore, affected by a remote code execution vulnerability due to improper validation of image files by a 3rd-party file parser . An unauthenticated, remote attacker could exploit this remote command execution vulnerability and cause the compromise of your GitLab instance.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to GitLab version 13.8.8, 13.9.6, 13.10.3, or later.
Public Exploits
Target Network Port(s): 80, 443
Target Asset(s): Services/www
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the GitLab 11.9.x < 13.8.8 / 13.9.0 < 13.9.6 / 13.10.0 < 13.10.3 Remote Code Execution vulnerability:
- Metasploit: exploit/multi/http/gitlab_exif_rce
[GitLab Unauthenticated Remote ExifTool Command Injection] - Exploit-DB: exploits/ruby/webapps/50532.txt
[EDB-50532: GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)] - GitHub: https://github.com/0x0021h/expbox
[CVE-2021-22205] - GitHub: https://github.com/AkBanner/CVE-2021-22205
[CVE-2021-22205] - GitHub: https://github.com/FDlucifer/firece-fish
[CVE-2021-22205] - GitHub: https://github.com/GitLab-Red-Team/cve-2021-22205-hash-harvester
[CVE-2021-22205: Finds an identifiable hash value for each version of GitLab vulnerable to ...] - GitHub: https://github.com/Mr-xn/Penetration_Testing_POC
[CVE-2021-22205] - GitHub: https://github.com/Qclover/Gitlab_RCE_CVE_2021_22205
[CVE-2021-22205] - GitHub: https://github.com/RedTeamWing/CVE-2021-22205
[CVE-2021-22205: Pocsuite3 For CVE-2021-22205] - GitHub: https://github.com/SexyBeast233/SecBooks
[CVE-2021-22205] - GitHub: https://github.com/ahmad4fifz/docker-cve-2021-22205
[CVE-2021-22205] - GitHub: https://github.com/b3tterm4n/CVE-2021-22205
[CVE-2021-22205: personal] - GitHub: https://github.com/binganao/vulns-2022
[CVE-2021-22205] - GitHub: https://github.com/cryst4lliz3/CVE-2021-22205
[CVE-2021-22205] - GitHub: https://github.com/faisalfs10x/GitLab-CVE-2021-22205-scanner
[CVE-2021-22205] - GitHub: https://github.com/gardenWhy/Gitlab-CVE-2021-22205
[CVE-2021-22205: CVE-2021-22205 的批量检测脚本] - GitHub: https://github.com/hanc00l/some_pocsuite
[CVE-2021-22205] - GitHub: https://github.com/hh-hunter/cve-2021-22205
[CVE-2021-22205] - GitHub: https://github.com/honypot/CVE-2021-22205
[CVE-2021-22205] - GitHub: https://github.com/jas502n/GitlabVer
[CVE-2021-22205] - GitHub: https://github.com/jusk9527/GobyPoc
[CVE-2021-22205] - GitHub: https://github.com/momika233/cve-2021-22205-GitLab-13.10.2---Remote-Code-Execution-RCE-Unauthenticated-
[CVE-2021-22205: GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated) cve-2021-22205] - GitHub: https://github.com/mr-r3bot/Gitlab-CVE-2021-22205
[CVE-2021-22205] - GitHub: https://github.com/sanqiushu-ns/POC-scan
[CVE-2021-22205] - GitHub: https://github.com/woods-sega/woodswiki
[CVE-2021-22205] - GitHub: https://github.com/ahmad4fifz/CVE-2021-22205
[CVE-2021-22205: CVE-2021-22205 on Docker] - GitHub: https://github.com/Al1ex/CVE-2021-22205
[CVE-2021-22205: CVE-2021-22205& GitLab CE/EE RCE] - GitHub: https://github.com/c0okB/CVE-2021-22205
[CVE-2021-22205: CVE-2021-22205 RCE] - GitHub: https://github.com/devdanqtuan/CVE-2021-22205
[CVE-2021-22205: CVE-2021-22205& GitLab CE/EE RCE] - GitHub: https://github.com/DIVD-NL/GitLab-cve-2021-22205-nse
[CVE-2021-22205: NSE script to fingerprint if GitLab is vulnerable to cve-2021-22205-nse] - GitHub: https://github.com/findneo/GitLab-preauth-RCE_CVE-2021-22205
[CVE-2021-22205: PoC in single line bash] - GitHub: https://github.com/inspiringz/CVE-2021-22205
[CVE-2021-22205: GitLab CE/EE Preauth RCE using ExifTool] - GitHub: https://github.com/pizza-power/Golang-CVE-2021-22205-POC
[CVE-2021-22205: A CVE-2021-22205 Gitlab RCE POC written in Golang] - GitHub: https://github.com/runsel/GitLab-CVE-2021-22205-
[CVE-2021-22205: Exploit for GitLab CVE-2021-22205 Unauthenticated Remote Code Execution] - GitHub: https://github.com/shang159/CVE-2021-22205-getshell
[CVE-2021-22205: CVE-2021-22205-getshell] - GitHub: https://github.com/X1pe0/Automated-Gitlab-RCE
[CVE-2021-22205: Automated Gitlab RCE via CVE-2021-22205] - GitHub: https://github.com/XTeam-Wing/CVE-2021-22205
[CVE-2021-22205: Pocsuite3 For CVE-2021-22205] - GitHub: https://github.com/antx-code/CVE-2021-22205
[CVE-2021-22205: Gitlab CE/EE RCE 未授权远程代码执行漏洞 POC && EXP CVE-2021-22205] - GitHub: https://github.com/r0eXpeR/CVE-2021-22205
[CVE-2021-22205: CVE-2021-22205 Unauthorized RCE] - GitHub: https://github.com/Seals6/CVE-2021-22205
[CVE-2021-22205: CVE-2021-22205未授权漏洞批量检测与利用工具] - GitHub: https://github.com/whwlsfb/CVE-2021-22205
[CVE-2021-22205: CVE-2021-22205 Gitlab 未授权远程代码执行漏洞 EXP, 移除了对djvumake & djvulibre的依赖,可在win平台使用]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS Score Source [?]: CVE-2021-22205
CVSS V2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C
| CVSS Base Score: | 7.5 (High) |
| Impact Subscore: | 6.4 |
| Exploitability Subscore: | 10.0 |
| CVSS Temporal Score: | 6.5 (Medium) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 6.5 (Medium) |
| CVSS Base Score: | 10.0 (Critical) |
| Impact Subscore: | 6.0 |
| Exploitability Subscore: | 3.9 |
| CVSS Temporal Score: | 9.5 (Critical) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 9.5 (Critical) |
STIG Risk Rating: High
Go back to menu.
Plugin Source
This is the gitlab_cve-2021-22205.nasl nessus plugin source code. This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(159925);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/27");
script_cve_id("CVE-2021-22205");
script_xref(name:"IAVA", value:"2021-A-0523-S");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2021/11/17");
script_name(english:"GitLab 11.9.x < 13.8.8 / 13.9.0 < 13.9.6 / 13.10.0 < 13.10.3 Remote Code Execution");
script_set_attribute(attribute:"synopsis", value:
"A source control application running on the remote web server is affected by a remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, the instance of GitLab running on the remote web server is 11.9.x prior to
13.8.7, 13.9.0 prior to 13.9.5, or 13.10.0 prior to 13.10.2. It is, therefore, affected by a remote
code execution vulnerability due to improper validation of image files by a 3rd-party file parser .
An unauthenticated, remote attacker could exploit this remote command execution vulnerability
and cause the compromise of your GitLab instance.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
# https://about.gitlab.com/blog/2021/11/04/action-needed-in-response-to-cve2021-22205/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?89a82423");
script_set_attribute(attribute:"solution", value:
"Upgrade to GitLab version 13.8.8, 13.9.6, 13.10.3, or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-22205");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'GitLab Unauthenticated Remote ExifTool Command Injection');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/04/23");
script_set_attribute(attribute:"patch_publication_date", value:"2021/04/23");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/04/20");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:gitlab:gitlab");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("gitlab_webui_detect.nbin");
script_require_keys("installed_sw/GitLab");
script_require_ports("Services/www", 80, 443);
exit(0);
}
include('vcf.inc');
include('http.inc');
var app = 'GitLab';
var port = get_http_port(default:80);
var app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);
# Remote detection can only get the first two segments: e.g. <major_version>.<minor_version>
# <major_version>.<minor_version>.X is harder to be certain about.
# Anything between the highest and lowest 'fixed_versions' requires paranoia if only 2 segments
# Adjust the following regex accordingly
if (report_paranoia < 2 && max_index(app_info.parsed_version[0]) < 3
&& app_info.version =~ "^13\.(8|9|10)([^\d]|$)")
audit(AUDIT_POTENTIAL_VULN, app, app_info.version, port);
var constraints = [
{ 'min_version' : '11.9.0', 'fixed_version' : '13.8.8' },
{ 'min_version' : '13.9.0', 'fixed_version' : '13.9.6' },
{ 'min_version' : '13.10.0', 'fixed_version' : '13.10.3' }
];
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE
);The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/gitlab_cve-2021-22205.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\gitlab_cve-2021-22205.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/gitlab_cve-2021-22205.nasl
Go back to menu.
How to Run
Here is how to run the GitLab 11.9.x < 13.8.8 / 13.9.0 < 13.9.6 / 13.10.0 < 13.10.3 Remote Code Execution as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select CGI abuses plugin family.
- On the right side table select GitLab 11.9.x < 13.8.8 / 13.9.0 < 13.9.6 / 13.10.0 < 13.10.3 Remote Code Execution plugin ID 159925.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl gitlab_cve-2021-22205.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a gitlab_cve-2021-22205.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - gitlab_cve-2021-22205.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state gitlab_cve-2021-22205.nasl -t <IP/HOST>Go back to menu.
References
IAVA | Information Assurance Vulnerability Alert:
- 2021-A-0523-S
- https://www.tenable.com/plugins/nessus/159925
- http://www.nessus.org/u?89a82423
- https://vulners.com/nessus/GITLAB_CVE-2021-22205.NASL
- 154879 - GitLab 7.12.x < 13.8.8 / 13.9.x < 13.9.6 / 13.10.x < 13.10.3 RCE
- 159830 - GitLab 14.7.x < 14.7.7 / 14.8.x < 14.8.5 / 14.9.x < 14.8.2 Default Password
- 159823 - GitLab 14.4.x < 14.7.7 / 14.8.x < 14.8.5 / 14.9.x < 14.8.2 XSS
- 152483 - GitLab SSRF (CVE-2021-22214)
- 108422 - Debian DSA-4145-1 : gitlab - security update
- 138123 - FreeBSD : Gitlab -- Multiple Vulnerabilities (0a305431-bc98-11ea-a051-001b217b3468)
- 94663 - FreeBSD : gitlab -- Directory traversal via 'import/export' feature (10968dfd-a687-11e6-b2d3-60a44ce6887b)
- 140234 - FreeBSD : Gitlab -- multiple vulnerabilities (1fb13175-ed52-11ea-8b93-001b217b3468)
- 131970 - FreeBSD : Gitlab -- Multiple Vulnerabilities (21944144-1b90-11ea-a2d4-001b217b3468)
- 121522 - FreeBSD : Gitlab -- Multiple vulnerabilities (467b7cbe-257d-11e9-8573-001b217b3468)
- 150196 - FreeBSD : Gitlab -- Multiple Vulnerabilities (5f52d646-c31f-11eb-8dcf-001b217b3468)
- 159496 - FreeBSD : Gitlab -- multiple vulnerabilities (8657eedd-b423-11ec-9559-001b217b3468)
- 119271 - FreeBSD : Gitlab -- Multiple vulnerabilities (8a4aba2d-f33e-11e8-9416-001b217b3468)
- 111178 - FreeBSD : Gitlab -- Remote Code Execution Vulnerability in GitLab Projects Import (8fc615cc-8a66-11e8-8c75-d8cb8abf62dd)
- 139394 - FreeBSD : Gitlab -- Multiple Vulnerabilities (a003b74f-d7b3-11ea-9df1-001b217b3468)
- 144815 - FreeBSD : Gitlab -- multiple vulnerabilities (a2a2b34d-52b4-11eb-87cb-001b217b3468)
- 141148 - FreeBSD : Gitlab -- multiple vulnerabilities (a3495e61-047f-11eb-86ea-001b217b3468)
- 102467 - FreeBSD : GitLab -- two vulnerabilities (abcc5ad3-7e6a-11e7-93f7-d43d7e971a1b)
- 156031 - FreeBSD : Gitlab -- Multiple Vulnerabilities (b299417a-5725-11ec-a587-001b217b3468)
- 118497 - FreeBSD : Gitlab -- multiple vulnerabilities (b9591212-dba7-11e8-9416-001b217b3468)
- 90877 - FreeBSD : gitlab -- privilege escalation via 'impersonate' feature (be72e773-1131-11e6-94fa-002590263bf5)
- 123645 - FreeBSD : Gitlab -- Multiple vulnerabilities (da459dbc-5586-11e9-abd6-001b217b3468)
- 108704 - FreeBSD : Gitlab -- multiple vulnerabilities (dc0c201c-31da-11e8-ac53-d8cb8abf62dd)
- 136304 - FreeBSD : Gitlab -- Multiple Vulnerabilities (e8483115-8b8e-11ea-bdcf-001b217b3468)
- 148702 - FreeBSD : Gitlab -- Vulnerabilities (fb6e53ae-9df6-11eb-ba8c-001b217b3468)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file gitlab_cve-2021-22205.nasl version 1.3. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
