CVE-2021-22205
Detection of CVE-2021-22205 observed from our Honeypots
Sigma rule (View on GitHub)
1title: CVE-2021-22205
2status: experimental
3description: Detection of CVE-2021-22205 observed from our Honeypots
4references:
5 - https://nvd.nist.gov/vuln/detail/CVE-2021-22205
6 - https://nvd.nist.gov/vuln/detail/CVE-2021-22204
7 - https://hackerone.com/reports/1154542
8 - https://www.exploit-db.com/exploits/49951
9 - https://github.com/CsEnox/Gitlab-Exiftool-RCE
10author: Loginsoft Research Unit
11date: 2021/11/1
12logsource:
13 product: Gitlab
14 category: Web-based DevOps Lifecycle tool
15detection:
16 selection1:
17 c-uri: "/users/sign_in"
18 cs-method: "GET"
19 selection2:
20 c-uri: "/uploads/user"
21 cs-method: "POST"
22 keywords1:
23 - "Copyright"
24 keywords2:
25 - "wget"
26 - "curl"
27 condition: selection1 and selection2 and keywords1 and keywords2
28level: High
References
-
CVE-2021-22205 Detail Description An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file p...
Read More -
Added CPE Configuration OR *cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:* *cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* *cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* Changed CPE Configurati...
Read More -
### Summary When uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags. An issue with this is that ExifTool will ignore the file extension and try to determine what the file is...
Read More -
Gitlab 13.10.2 - Remote Code Execution (Authenticated).. webapps exploit for Ruby platform
Read More -
RCE Exploit for Gitlab < 13.10.3. Contribute to CsEnox/Gitlab-Exiftool-RCE development by creating an account on GitHub.
Read More