Blog Security Action needed by self-managed customers in response to CVE-2021-22205
Published on: November 4, 2021
2 min read

Action needed by self-managed customers in response to CVE-2021-22205

Self-managed users using outdated versions should update immediately.

security-cover.png

CVE-2021-22205 is a critical severity vulnerability (CVSS 10.0) that is a result of improper validation of image files by a 3rd-party file parser Exif-Tool, resulting in a remote command execution vulnerability that can lead to the compromise of your GitLab instance.

This issue was remediated and patched in the GitLab 13.10.3, 13.9.6, and 13.8.8 release from April 14, 2021.

We have confirmed reports of the vulnerability being exploited on self-managed public-facing GitLab instances. GitLab.com users are not affected.

GitLab versions affected by CVE-2021-22205:

Self-managed customers running the following GitLab versions are vulnerable to this publicly available exploit:

  • 11.9.x - 13.8.7
  • 13.9.0 - 13.9.5
  • 13.10.0 - 13.10.2

GitLab self-managed administrators can see their GitLab version at <gitlab_url>/admin. See more about the dashboard.

Determine if you have been impacted:

Steps that users can take to investigate whether their GitLab instance has been compromised are outlined in this forum post, "CVE-2021-22205: How to determine if a self-managed instance has been impacted".

Action you need to take:

Due to the severity and potential impact from exploitation of this vulnerability, it is imperative users upgrade to a fixed version as soon as possible: https://about.gitlab.com/update. This issue was remediated and patched in the GitLab 13.10.3, 13.9.6, and 13.8.8 release from April 14, 2021.

If you can't upgrade quickly, a hotpatch is available.

If you have questions, you may post in our forum on this topic. If you have an active Support contract, please create a support ticket at support.gitlab.com.

Please subscribe to our security alarts mailing list.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert