According to cybersecurity researchers, a now-patched significant Remote Code Execution (RCE) flaw in GitLab’s web interface has been regularly exploited in the open, making a considerable number of internet-facing GitLab installations vulnerable to attacks.
The problem, which has been assigned the number CVE-2021-22205, involves poor validation of user-supplied pictures, leading to arbitrary code execution. GitLab fixed the issue, which affected all versions starting with 11.9, on April 14, 2021, in versions 13.8.8, 13.9.6, and 13.10.3.
Even though the defect was first classified as authenticated RCE and given a CVSS score of 9.9, the severity level was changed to 10.0 on September 21, 2021, due to the fact that unauthenticated malicious attackers may also trigger it.
Despite the slight difference in CVSS score, switching from authenticated to unauthenticated has significant ramifications for defenders, according to cybersecurity company Rapid7 in a Monday notice.
Despite the fixes being publicly available for over six months, just 21% of the 60,000 internet-facing GitLab installations are believed to be patched entirely against the bug, with the remaining 50% exposed to RCE attacks.
Because of the vulnerability’s unauthenticated nature, exploitation activity will likely escalate, making it vital that GitLab users upgrade to the most recent version as soon as feasible.
GitLab should not, in theory, be an internet-facing service, according to the researchers. Consider putting your GitLab behind a VPN if you need to access it from the internet. Here is a link to additional technical information about the issue.