CVE-2021-22205
Summary
| CVE | CVE-2021-22205 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-04-23 18:15:00 UTC |
| Updated | 2022-07-12 17:42:00 UTC |
| Description | An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. |
Risk And Classification
EPSS: 0.944670000 probability, percentile 0.999960000 (date 2026-04-01)
CISA KEV: Listed on 2021-11-03; due 2021-11-17; ransomware use Known
Problem Types: CWE-94
CISA Known Exploited Vulnerability
| Vendor | GitLab |
|---|---|
| Product | Community and Enterprise Editions |
| Name | GitLab Community and Enterprise Editions Remote Code Execution Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2021-22205 |
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| GitLab Unauthenticated Remote ExifTool Command Injection ≈ Packet Storm | MISC | packetstormsecurity.com | |
| GitLab 13.10.2 Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| Not Found | MISC | gitlab.com | |
| 2021/CVE-2021-22205.json · master · GitLab.org / cves · GitLab | CONFIRM | gitlab.com | |
| HackerOne | MISC | hackerone.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
Vendor Comments And Credit
Discovery Credit
LEGACY: Thanks vakzz for reporting this vulnerability through our HackerOne bug bounty program
Legacy QID Mappings
- 375475 GitLab Multiple Security Vulnerabilities(gitlab- 13-10-3)