30,000 GitLab Servers Remain Unpatched Against Critical Bug

Share post:

A critical, unauthenticated, remote code execution GitLab bug remains exploitable, with over 50% of deployments remaining unpatched after it was fixed on April 14, 2021.

The vulnerability tracked as CVE-2021-22205 with a CVSS v3 score of 10.0, allows an unauthenticated, remote attacker to execute arbitrary commands as a “git’ user. This vulnerability allows the attacker to gain full access to the repository, including deleting, modifying, and stealing source code.

Hackers first exploited internet-facing GitLab servers in June 2021 to create new users and grant them admin privileges, and then exploited a working exploit released on GitHub on June 4, 2021, to abuse the vulnerable ExifTool component.

Attackers do not need to resort to authentication or the use of a CSRF token or even a valid HTTP endpoint to exploit.

Since the exploitation continues to this day, the researchers at Rapid7 decided to draw attention to the number of unpatched systems in order to determine the extent of the underlying problem.

In a report published by Rapid7, at least 50% of the 60,000 internet-facing GitLab installations they found were not patched against the critical RCE vulnerability that had been fixed six months earlier.

In addition, another 29% may or may not be vulnerable, with analysts failing to extract the version string for those servers.

Administrators need to upgrade to one of the following versions to fix the bug:

  • 13.10.3
  • 13.9.6
  • 13.8.8

To keep GitLab instances safe from exploitation, users should check its response to POST requests that aim to exploit the incorrect handling of image files by ExifTool. The patched versions still allow someone to contact ExifTool, but the response to the request should be a rejection via an HTTP 404 error.

For more information, read the original story in BleepingComputer.


Related articles

Cyber Security Today, June 12, 2024 – More Snowflake storage victims found, Microsoft issues new Windows patches,

More Snowflake storage victims found, Microsoft issues new Windows patches, and more. Welcome to Cyber Security Today. It's Wednesday,...

Former OpenAI employee alleges plan for AGI bidding war

In a recent interview, former OpenAI safety researcher Leopold Aschenbrenner made startling claims about his ex-employer's strategy regarding...

Malicious code in millions of installs traced to Microsoft Visual Studio

A group of Israeli researchers found thousands of potentially harmful extensions on the Visual Studio Code (VSCode) Marketplace,...

Cyber Security Today, June 10, 2024 – Microsoft backs down on Recall

Microsoft backs down on Recall. Welcome to Cyber Security Today. It's Monday, June 10th, 2024. I'm Howard Solomon, contributing...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways