CVE-2021-22214

MEDIUM EXPLOITED NUCLEI

Gitlab < 13.10.5 - SSRF

Title source: rule

Description

When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited

Exploits (5)

nomisec WORKING POC 10 stars

by ZZ-SOCMAP · poc

https://github.com/ZZ-SOCMAP/CVE-2021-22214

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by aaminin · infoleak

https://github.com/aaminin/CVE-2021-22214

View Code ZIP pw:eip

nomisec SUSPICIOUS

by Vulnmachines · infoleak

https://github.com/Vulnmachines/gitlab-cve-2021-22214

View Code ZIP pw:eip

inthewild

poc

https://github.com/r0ckysec/cve-2021-22214

View on inthewild

inthewild WORKING POC

poc

https://github.com/antx-code/cve-2021-22214

View Code ZIP pw:eip

Nuclei Templates (1)

Gitlab CE/EE 10.5 - Server-Side Request Forgery

HIGHby Suman_Kar,GitLab Red Team

Shodan: http.title:"GitLab" || cpe:"cpe:2.3:a:gitlab:gitlab" || http.title:"gitlab"

FOFA: title="gitlab"

References (3)

[Third Party Advisory] https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22214.json

[Broken Link] https://gitlab.com/gitlab-org/gitlab/-/issues/322926

[Permissions Required, Third Party Advisory] https://hackerone.com/reports/1110131

Scores

CVSS v3 6.8

EPSS 0.9268

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Details

VulnCheck KEV 2023-12-12

CWE

CWE-918

Status published

Products (1)

gitlab/gitlab 10.5 - 13.10.5

Published Jun 08, 2021

Tracked Since Feb 18, 2026