30,000 GitLab Servers Remain Unpatched Against Critical Bug

Share post:

A critical, unauthenticated, remote code execution GitLab bug remains exploitable, with over 50% of deployments remaining unpatched after it was fixed on April 14, 2021.

The vulnerability tracked as CVE-2021-22205 with a CVSS v3 score of 10.0, allows an unauthenticated, remote attacker to execute arbitrary commands as a “git’ user. This vulnerability allows the attacker to gain full access to the repository, including deleting, modifying, and stealing source code.

Hackers first exploited internet-facing GitLab servers in June 2021 to create new users and grant them admin privileges, and then exploited a working exploit released on GitHub on June 4, 2021, to abuse the vulnerable ExifTool component.

Attackers do not need to resort to authentication or the use of a CSRF token or even a valid HTTP endpoint to exploit.

Since the exploitation continues to this day, the researchers at Rapid7 decided to draw attention to the number of unpatched systems in order to determine the extent of the underlying problem.

In a report published by Rapid7, at least 50% of the 60,000 internet-facing GitLab installations they found were not patched against the critical RCE vulnerability that had been fixed six months earlier.

In addition, another 29% may or may not be vulnerable, with analysts failing to extract the version string for those servers.

Administrators need to upgrade to one of the following versions to fix the bug:

  • 13.10.3
  • 13.9.6
  • 13.8.8

To keep GitLab instances safe from exploitation, users should check its response to POST requests that aim to exploit the incorrect handling of image files by ExifTool. The patched versions still allow someone to contact ExifTool, but the response to the request should be a rejection via an HTTP 404 error.

For more information, read the original story in BleepingComputer.

Featured Tech Jobs


Related articles

Compel social media apps to toughen their privacy, trust practices, Parliament told

Committee hearing told social media apps can be exploited for propaganda and radi

Canada, U.S. sign international guidelines for safe AI development

Eighteen countries, including Canada, the U.S. and the U.K., today agreed on recommended guidelines to developers in their nations for the secure design, development, deployment, and operation of artificial intelligent systems. It’s the latest in a series of voluntary guardrails that nations are urging their public and private sectors to follow for overseeing AI in

Cyber Security Today, Nov. 27, 2023 – Ransomware gang posts data stolen from a Canadian POS provider, and more

This episode reports on the latest ransomware attacks, and details of how a gang that scams people selling used products on

Cyber Security Today, Week in Review for the week ending November 24, 2023

This episode features discussion on Australia's decision to not make ransowmare payments illegal, huge hacks of third-party service suppliers in Canada and the U.S. and whether email and smartphone service providers are doing enough to protect

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways