CVE-2021-22175
Published: 11 June 2021
Summary
CVE-2021-22175 is a medium-severity SSRF (CWE-918) vulnerability in Gitlab Gitlab. Its CVSS base score is 6.8 (Medium).
Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
The vulnerability is a server-side request forgery (SSRF) flaw, tracked as CWE-918, that affects GitLab versions 10.5 and later. It is triggered when the instance is configured to allow webhooks to make requests to the internal network, enabling an attacker to cause the server to issue arbitrary requests.
An unauthenticated attacker can exploit the issue over the network, even on instances where user registration is disabled. Successful exploitation yields high confidentiality impact against internal resources while leaving integrity and availability unaffected, as reflected in the CVSS 6.8 score with scope change.
Advisories and additional technical details are available in the referenced GitLab CVE records, issue tracker entries, and the associated HackerOne report. No information on real-world exploitation or patches is provided in the source data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-9321
Vulnerability details
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled
- CWE(s)
- KEV Date Added
- See CISA KEV catalog
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces boundary protection rules that can explicitly deny the GitLab application from issuing webhook requests to internal network addresses.
Implements information flow enforcement policies that block unauthorized server-side requests from webhooks to internal resources.
Requires validation of webhook URL inputs to reject addresses that target internal network destinations.