Vulnerability Alert - GitLab
GitLab has published a security update to fix a Remote Code Execution vulnerability (CVE-2021-22205) in GitLab Community Edition (CE) and Enterprise Edition (EE).
GitLab was not properly validating image files that is passed to a file parser which resulted in a remote command execution.[1]
This vulnerability is being actively exploited.
If this vulnerability is successfully exploited, it allows an unauthenticated attacker to run remote code.
It is recommended to update the versions of the affected products to their latest version:
- 13.10.3;
- 13.9.6; e
- 13.8.8.
[1] https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/#Remote-code-execution-when-uploading-specially-crafted-image-files
[2] https://www.rapid7.com/blog/post/2021/11/01/gitlab-unauthenticated-remote-code-execution-cve-2021-22205-exploited-in-the-wild/
[3] https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=blog