正文

GitLab 输入验证错误漏洞

admin
admin V管理员 /0 评论 /8 阅读
0304
此篇文章发布距今已超过1167天,您需要注意文章的内容或图片是否可用!

漏洞信息详情

GitLab 输入验证错误漏洞

  • CNNVD编号:CNNVD-202104-1685
    • <!--
  • 危害等级: 超危-->
  • 危害等级: 超危
  • CVE编号: CVE-2021-22205
  • 漏洞类型: 输入验证错误
  • 发布时间: 2021-04-22
  • 威胁类型: 远程
  • 更新时间: 2021-12-01
  • 厂        商:
  • 漏洞来源: Jacob Baines

漏洞简介

GitLab是美国GitLab公司的一款使用Ruby on Rails开发的、自托管的、Git(版本控制系统)项目仓库应用程序。该程序可用于查阅项目的文件内容、提交历史、Bug列表等。

Gitlab Community Edition 存在输入验证错误漏洞,该漏洞源于图像解析器在处理图像文件时输入验证不正确。以下产品及版本受到影响::Gitlab Community Edition: 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.4, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11.9.10, 11.9.11, 11.9.12, 11.10.0, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.5, 11.10.6, 11.10.7, 11.10.8, 11.11.0, 11.11.1, 11.11.2, 11.11.3, 11.11.4, 11.11.5, 11.11.7, 11.11.8, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.6, 12.0.8, 12.0.9, 12.0.10, 12.0.12, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.6, 12.1.8, 12.1.9, 12.1.10, 12.1.11, 12.1.12, 12.1.13, 12.1.14, 12.1.15, 12.1.16, 12.1.17, 12.2.0, 12.2.1, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10, 12.2.11, 12.2.12, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7, 12.3.8, 12.3.9, 12.4.0, 12.4.1, 12.4.2, 12.4.3, 12.4.4, 12.4.5, 12.4.6, 12.4.7, 12.4.8, 12.5.0, 12.5.1, 12.5.2, 12.5.3, 12.5.4, 12.5.5, 12.5.6, 12.5.7, 12.5.9, 12.5.10, 12.6.0, 12.6.1, 12.6.2, 12.6.3, 12.6.4, 12.6.6, 12.6.7, 12.6.8, 12.7.0, 12.7.1, 12.7.2, 12.7.4, 12.7.5, 12.7.6, 12.7.7, 12.7.8, 12.7.9, 12.8.0, 12.8.1, 12.8.2, 12.8.3, 12.8.4, 12.8.5, 12.8.6, 12.8.7, 12.8.8, 12.8.9, 12.8.10, 12.9.0, 12.9.1, 12.9.2, 12.9.3, 12.9.4, 12.9.5, 12.9.6, 12.9.7, 12.9.8, 12.9.9, 12.9.10, 12.10.0, 12.10.1, 12.10.2, 12.10.3, 12.10.4, 12.10.5, 12.10.6, 12.10.7, 12.10.8, 12.10.9, 12.10.10, 12.10.11, 12.10.12, 12.10.13, 12.10.14, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.0.4, 13.0.5, 13.0.6, 13.0.7, 13.0.8, 13.0.9, 13.0.10, 13.0.12, 13.0.13, 13.0.14, 13.1.0, 13.1.1, 13.1.2, 13.1.3, 13.1.4, 13.1.5, 13.1.6, 13.1.7, 13.1.8, 13.1.9, 13.1.10, 13.1.11, 13.2.0, 13.2.1, 13.2.2, 13.2.3, 13.2.4, 13.2.5, 13.2.6, 13.2.7, 13.2.8, 13.2.9, 13.2.10, 13.3.0, 13.3.1, 13.3.2, 13.3.3, 13.3.4, 13.3.5, 13.3.6, 13.3.7, 13.3.8, 13.3.9, 13.4.0, 13.4.1, 13.4.2, 13.4.3, 13.4.4, 13.4.5, 13.4.6, 13.4.7, 13.5.0, 13.5.1, 13.5.2, 13.5.3, 13.5.4, 13.5.5, 13.5.6, 13.5.7, 13.6.0, 13.6.1, 13.6.2, 13.6.3, 13.6.4, 13.6.5, 13.6.6, 13.6.7, 13.7.0, 13.7.1, 13.7.2, 13.7.3, 13.7.4, 13.7.5, 13.7.6, 13.7.7, 13.7.8, 13.7.9, 13.8.0, 13.8.1, 13.8.2, 13.8.3, 13.8.4, 13.8.5, 13.8.6, 13.8.7, 13.9.0, 13.9.1, 13.9.2, 13.9.3, 13.9.4, 13.9.5, 13.10.0, 13.10.1, 13.10.2。

漏洞公告

目前厂商已发布升级补丁以修复漏洞,补丁获取链接:

https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/

参考网址

来源:MISC

链接:https://gitlab.com/gitlab-org/gitlab/-/issues/327121

来源:MISC

链接:https://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html

来源:CONFIRM

链接:https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json

来源:MISC

链接:https://hackerone.com/reports/1154542

来源:MISC

链接:https://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html

来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2021-22205

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.3666

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html

来源:cxsecurity.com

链接:https://cxsecurity.com/issue/WLB-2021110075

来源:www.cybersecurity-help.cz

链接:https://www.cybersecurity-help.cz/vdb/SB2021042211

来源:www.cybersecurity-help.cz

链接:https://www.cybersecurity-help.cz/vdb/SB2021042936

来源:www.exploit-db.com

链接:https://www.exploit-db.com/exploits/50532

受影响实体

    暂无


补丁

  • GitLab 输入验证错误漏洞的修复措施
    <!--
    2021-4-22
    -->