Multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2021-22213 CVE-2021-22181 CVE-2021-22214 CVE-2021-22217 CVE-2021-22221 CVE-2021-22216 CVE-2021-22220 CVE-2021-22219 CVE-2021-22215 CVE-2021-22218 |
| CWE-ID | CWE-79 CWE-20 CWE-918 CWE-400 CWE-613 CWE-200 CWE-295 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #3 is being exploited in the wild. |
| Vulnerable software |
Gitlab Community Edition Universal components / Libraries / Software for developers GitLab Enterprise Edition Universal components / Libraries / Software for developers |
| Vendor | GitLab, Inc |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Cross-site scripting
EUVDB-ID: #VU54021
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-22213
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the OAuth flow. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGitlab Community Edition: 7.10 - 13.12.1
GitLab Enterprise Edition: 7.10.0 - 13.12.0
CPE2.3- cpe:2.3:a:gitlab:gitlab:7.10.5:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:7.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:7.12.2:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:7.13.5:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:7.14.3:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:8.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:8.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:8.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:8.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:8.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab-ee:7.10.1:*:*:*:*:*:*:*
https://hackerone.com/reports/1089277
https://gitlab.com/gitlab-org/gitlab/-/issues/300308
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22213.json
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU54085
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-22181
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote authenticated attacker can create a recursive pipeline relationship to exhaust resources and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGitlab Community Edition: 11.8.0 - 13.12.1
GitLab Enterprise Edition: 11.8.0 - 13.12.0
CPE2.3- cpe:2.3:a:gitlab:gitlab:11.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.9.12:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.10.8:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.11.8:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:12.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:12.1.17:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:12.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:12.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:12.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:12.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab-ee:11.8.10:*:*:*:*:*:*:*
https://gitlab.com/gitlab-org/gitlab/-/issues/249100
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22181.json
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU54086
Risk: High
CVSSv4.0: 8.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N/E:A/U:Amber]
CVE-ID: CVE-2021-22214
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: Yes
DescriptionThe disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGitlab Community Edition: 10.5 - 13.12.1
GitLab Enterprise Edition: 10.5.0 - 13.12.0
CPE2.3- cpe:2.3:a:gitlab:gitlab:10.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:10.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:10.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:10.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.3.14:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.4.14:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.5.11:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab-ee:10.5.8:*:*:*:*:*:*:*
https://gitlab.com/gitlab-org/gitlab/-/issues/322926
https://hackerone.com/reports/1110131
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22214.json
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource exhaustion
EUVDB-ID: #VU54087
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-22217
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote authenticated attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGitlab Community Edition: 0.1.5 - 13.12.1
GitLab Enterprise Edition: 6.2.0 - 13.12.0
CPE2.3- cpe:2.3:a:gitlab:gitlab:0.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:0.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:0.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab-ee:6.2.0:*:*:*:*:*:*:*
https://gitlab.com/gitlab-org/gitlab/-/issues/300709
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22217.json
https://hackerone.com/reports/1090049
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Insufficient Session Expiration
EUVDB-ID: #VU54088
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-22221
CWE-ID:
CWE-613 - Insufficient Session Expiration
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient session expiration issue. A remote non-authenticated attacker can obtain or guess session token and gain unauthorized access to session that belongs to another user.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGitlab Community Edition: 12.9.0 - 13.12.1
GitLab Enterprise Edition: 12.9.0 - 13.12.0
CPE2.3- cpe:2.3:a:gitlab:gitlab:12.9.10:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:12.10.14:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.7.9:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab-ee:12.9.10:*:*:*:*:*:*:*
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22221.json
https://gitlab.com/gitlab-org/gitlab/-/issues/292006
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Resource exhaustion
EUVDB-ID: #VU54090
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-22216
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote authenticated attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGitlab Community Edition: 0.1.5 - 13.12.1
GitLab Enterprise Edition: 6.2.0 - 13.12.0
CPE2.3- cpe:2.3:a:gitlab:gitlab:0.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:0.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:0.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab-ee:6.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab-ee:6.3.0:*:*:*:*:*:*:*
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22216.json
https://gitlab.com/gitlab-org/gitlab/-/issues/329890
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Stored cross-site scripting
EUVDB-ID: #VU54093
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-22220
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in blob viewer of notebooks. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsGitlab Community Edition: 13.10.0 - 13.12.1
GitLab Enterprise Edition: 13.10.0 - 13.12.0
CPE2.3- cpe:2.3:a:gitlab:gitlab:13.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab-ee:13.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab-ee:13.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab-ee:13.12.0:*:*:*:*:*:*:*
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22220.json
https://hackerone.com/reports/1060114
https://gitlab.com/gitlab-org/gitlab/-/issues/294128
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Information disclosure
EUVDB-ID: #VU54094
Risk: Low
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-22219
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to the sensitive information is not correctly registered for log masking. A remote administrator can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGitlab Community Edition: 9.5 - 13.12.1
GitLab Enterprise Edition: 9.5.0 - 13.12.0
CPE2.3- cpe:2.3:a:gitlab:gitlab:9.55:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:10.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:10.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:10.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:10.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:10.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:10.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:10.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:10.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:10.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.3.14:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.4.14:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.5.11:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:11.6.11:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab-ee:9.5.10:*:*:*:*:*:*:*
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22219.json
https://gitlab.com/gitlab-org/gitlab/-/issues/296995
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Information disclosure
EUVDB-ID: #VU54095
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-22215
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote administrator can leak information about the members' on-call rotations in other projects.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGitlab Community Edition: 13.11.0 - 13.12.1
GitLab Enterprise Edition: 13.11.0 - 13.12.0
CPE2.3- cpe:2.3:a:gitlab:gitlab:13.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab-ee:13.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab-ee:13.12.0:*:*:*:*:*:*:*
https://gitlab.com/gitlab-org/gitlab/-/issues/328668
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22215.json
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Improper Certificate Validation
EUVDB-ID: #VU54096
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-22218
CWE-ID:
CWE-295 - Improper Certificate Validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper handling of x509 certificates. A remote authenticated attacker can spoof author of signed commits.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGitlab Community Edition: 12.8.0 - 13.12.1
GitLab Enterprise Edition: 12.8.0 - 13.12.0
CPE2.3- cpe:2.3:a:gitlab:gitlab:12.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:12.9.10:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:12.10.14:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.7.9:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab:13.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:gitlab:gitlab-ee:12.8.10:*:*:*:*:*:*:*
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22218.json
https://gitlab.com/gitlab-org/gitlab/-/issues/297665
https://hackerone.com/reports/1077019
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
