An old vulnerability (CVE-2021-22205) is being actively exploited for controlling on-premise Gitlab servers, Rapid7 researcher Jacob Baines remarks. What makes it worse is at least half of the 60,000 internet-facing GitLab installations the company has identified remains unpatched for the vulnerability.

Damian Menschen, a security reliability engineer in charge of DDoS defense at Google, commented, What are the attackers doing with these servers?

GitLab patched the vulnerability in April 2021. The vulnerability has its roots in the service’s web interface improper validation of image files shifted to the service’s embedded version of ExifTool. The vulnerability allows attackers to execute code remotely, avoiding the authentication to the server first.

“There are multiple recently published public exploits for this vulnerability, and it reportedly has been exploited in the wild since June or July of 2021. We expect exploitation to increase as details of the unauthenticated nature of this vulnerability become more widely understood,” Baines noted.

CVE-2021-22205 impacts all versions of GitLab Enterprise Edition (EE) and GitLab Community Edition (CE), beginning from 11.9.

Those who haven’t updated their GitLab must immediately update. Further, they must avoid using GitLab as an internet-facing service.

“If you need to access your GitLab from the internet, consider placing it behind a VPN,” Baines advised.

Rapid7 has also released a technical analysis and instructions on how organisations can verify whether their GitLab server(s) have been affected or if they are vulnerable at all.