Researchers warn GitLab users of actively attacked old leak

Security researchers at Rapid7 warn GitLab users about a vulnerability that is being exploited in practice. This is an old bug that already has a patch. The bug allows attackers to execute code on a vulnerable system.

The vulnerability has been around for a long time. It concerns CVE-2021-22205, which already got a patch from GitLab in April. The bug is in all versions of GitLab Community Edition CE as well as Enterprise Edition EE as of version 7.12. The bug has been fixed in versions 13.8.8, 13.9.6 and 13.10.3 of GitLab. Despite this, researchers at Rapid7 and HN Security say they have seen multiple attacks recently where the vulnerability was exploited. Rapid7 predicts that this will happen more often, especially as the bug has become more severe.

When the bug was discovered, it got a critical CSVV score of 9.9, but later that was raised to 10. That’s because an exploit initially required an authenticated account, but later turned out not to be necessary. The bug made it possible to run git commands by opening an infected DjVu file on the installation.

According to Rapid7, there are currently 60,000 GitLab installations publicly available on the web. Half of these have not yet implemented the available patch. In nearly a third of cases, Rapid7 could not say for sure whether the patch had been implemented. It is not known how many active attacks are taking place on the servers, but it seems to be a small number for the time being. For example, the researchers at HN Security only talk about anecdotal cases where customers were infected.