GitLab remote command execution vulnerability (CVE-2021-22205) warning

1. Basic situation

GitLab is an open source project for a warehouse management system. It uses Git as a code management tool to access public or private projects through a web interface.

Recently, GitLab released a security update bulletin to fix a remote command execution vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The vulnerability CVE number is CVE-2021-22205. Attackers can use this vulnerability to execute arbitrary commands on the target server. It is recommended that affected users upgrade to the latest version of GitLab for protection, and do a good job in asset self-checking and prevention to avoid hacker attacks.


2. Vulnerability level

High risk

3. Vulnerability description

The vulnerability affects all versions starting from 11.9, because Gitlab did not correctly verify the image file passed to the file parser, which led to the execution of the command. Attackers can construct malicious requests to use this vulnerability to execute arbitrary instructions on the target system, and eventually cause the Gitlab server to be controlled.

4. The scope of influence

Gitlab CE / EE <13.10.3

Gitlab CE / EE <13.9.6

Gitlab CE / EE <13.8.8

5. Safety recommendations

It is recommended that users upgrade the GitLab Community Edition (CE) and Enterprise Edition (EE) versions to 13.10.3, 13.9.6 and 13.8.8 for protection.

Download link: https://about.gitlab.com/update

6. Reference link

https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/

Source: https://cstis.cn/post/65a5b182-b8ff-850e-7acb-ab55ebcd7b57

Post a Comment

أحدث أقدم