CVE-2021-22205 is a critical severity vulnerability (CVSS 10.0) that is a result of improper validation of image files by a 3rd-party file parser Exif-Tool, resulting in a remote command execution vulnerability that can lead to the compromise of your GitLab instance.
This issue was remediated and patched in the GitLab 13.10.3, 13.9.6, and 13.8.8 release from April 14, 2021.
We have confirmed reports of the vulnerability being exploited on self-managed public-facing GitLab instances. GitLab.com users are not affected.
GitLab versions affected by CVE-2021-22205:
Self-managed customers running the following GitLab versions are vulnerable to this publicly available exploit:
- 11.9.x - 13.8.7
- 13.9.0 - 13.9.5
- 13.10.0 - 13.10.2
GitLab self-managed administrators can see their GitLab version at <gitlab_url>/admin.
See more about the dashboard.
Determine if you have been impacted:
Steps that users can take to investigate whether their GitLab instance has been compromised are outlined in this forum post, "CVE-2021-22205: How to determine if a self-managed instance has been impacted".
Action you need to take:
Due to the severity and potential impact from exploitation of this vulnerability, it is imperative users upgrade to a fixed version as soon as possible: https://about.gitlab.com/update. This issue was remediated and patched in the GitLab 13.10.3, 13.9.6, and 13.8.8 release from April 14, 2021.
If you can't upgrade quickly, a hotpatch is available.
If you have questions, you may post in our forum on this topic. If you have an active Support contract, please create a support ticket at support.gitlab.com.
