I. Overview

On April 14, 2021, GitLab published a security release to address CVE-2021-22205, a critical remote code execution vulnerability in the service’s web interface, which has been exploited in the wild on the Internet. GitLab was not properly validating image files that is passed to a file parser which resulted in a remote command execution. The POC of this vulnerability has been published and the risk is high.

GitLab is a Git-based fully integrated platform for software development. If you are a GitLab user, check your system and implement timely security hardening.

Reference: https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

11.9 <= GitLab (CE/EE) < 13.8.8

13.9 <= GitLab (CE/EE) < 13.9.6

13.10 <= GitLab (CE/EE) < 13.10.3

Secure versions:

GitLab (CE/EE) 13.8.8

GitLab (CE/EE) 13.9.6

GitLab (CE/EE) 13.10.3

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official releases. If your version falls into the affected range, upgrade it to a secure version.

Link: https://about.gitlab.com/update/

HUAWEI CLOUD WAF can defend against these vulnerabilities. If you are a WAF user, set the basic web protection status to Block. For details, see Configuring Basic Web Protection Rules.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.