Cyber Resilience

CVE-2021-22175

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 11 June 2021

Published
11 June 2021
Modified
18 February 2026
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.7998 99.1th percentile
Risk Priority 82 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-22175 is a medium-severity SSRF (CWE-918) vulnerability in Gitlab Gitlab. Its CVSS base score is 6.8 (Medium).

Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

The vulnerability is a server-side request forgery (SSRF) flaw, tracked as CWE-918, that affects GitLab versions 10.5 and later. It is triggered when the instance is configured to allow webhooks to make requests to the internal network, enabling an attacker to cause the server to issue arbitrary requests.

An unauthenticated attacker can exploit the issue over the network, even on instances where user registration is disabled. Successful exploitation yields high confidentiality impact against internal resources while leaving integrity and availability unaffected, as reflected in the CVSS 6.8 score with scope change.

Advisories and additional technical details are available in the referenced GitLab CVE records, issue tracker entries, and the associated HackerOne report. No information on real-world exploitation or patches is provided in the source data.

EU & UK References

Vulnerability details

When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled

CWE(s)
KEV Date Added
See CISA KEV catalog

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gitlab
gitlab
10.5.0 — 13.6.7 · 10.5.0 — 13.6.7 · 13.7.0 — 13.7.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces boundary protection rules that can explicitly deny the GitLab application from issuing webhook requests to internal network addresses.

prevent

Implements information flow enforcement policies that block unauthorized server-side requests from webhooks to internal resources.

prevent

Requires validation of webhook URL inputs to reject addresses that target internal network destinations.

References