Researchers found CVE-2021-22205 10-point RCE vulnerability exploited in the wild.
In April 2021, GitLab issued a security advisory to fix a remote code execution vulnerability in its service web interface – CVE-2021-22205. Gitlab describes the vulnerability as a non-authentication vulnerability caused by passing a user-provided image to the ExifTool tool embedded in the service. A remote attacker can use this vulnerability to execute arbitrary commands as a Git user.
The CVE-2021-22205 vulnerability has a CVSS score of 9.9. On September 21, GitLab revised the vulnerability’s CVSS score from 9.9 to 10. The reason for the increased score is that the vulnerability changed from an authenticated vulnerability to a non-authenticated vulnerability.
Use in the wild
In a real-world attack report released by the HN security team in October, the attackers registered two users with administrator privileges with two seemingly random usernames in the two months from June to July:
However, the email address specified during the registration process is not verified by default, so newly created users can log in automatically. No other notifications are sent to administrators during this process.
The researchers then discovered that the attacker logged into the Gitlab server with 2 newly created users and performed the following actions:
?User registration and login;
?Abusing the Gitlab API to list all projects, including private projects;
? Upload attachments to the project.
The uploaded attachment is actually a malicious payload. The payload used in the wild exploit can execute a reverse shell, escalating the privileges of the first two newly registered users to admin. In addition, other payloads can be used to achieve remote code execution. Because there are only 2 requests for the entire exploit process: no need to abuse the API to find a valid project in the default gitlab installation, no need to open and authenticate:
Request to get CSRF token
Execute unauthenticated malicious payload upload requests
The CVE-2021-22205 vulnerability affects all gitlab enterprise and gitlab community editions since 11.9.
Vulnerabilities have been fixed in the following versions: