🔴 CVE-2021-39935

CVE-2021-39935 is a Server-Side Request Forgery (SSRF) vulnerability affecting GitLab Community Edition (CE) and Enterprise Edition (EE) ^[2].

Exploitation and Threat Actor Usage

• Active Exploitation: The vulnerability is actively exploited in the wild and is included in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog ^[1].
• Targeted Attacks/Ransomware: While it is confirmed as an actively exploited vulnerability in the KEV catalog, specific public attribution to ransomware campaigns or specific targeted threat actor groups is not widely detailed in standard vulnerability databases. However, its presence in the KEV catalog indicates it is a high-priority target for malicious actors ^[1].

Attack Method and Requirements

• Method: The flaw is an SSRF vulnerability located in GitLab’s CI Lint API, which is intended to validate CI/CD configuration files ^[1].
• Requirements: It allows unauthorized external users to perform server-side requests ^[2]. It does not typically require user interaction from an authenticated administrator to trigger, as it is accessible to external attackers ^[1].

Impact

• Access/Impact: Successful exploitation allows an attacker to force the GitLab server to make unauthorized requests to internal or external resources. This can potentially lead to information disclosure, scanning of internal networks, or interaction with internal services that are otherwise protected from the public internet ^[1].

Affected Versions and Mitigation

• Affected Versions: The vulnerability affects the following versions of GitLab CE/EE:

* All versions starting from 10.5 before 14.3.6 ^[2] * All versions starting from 14.4 before 14.4.4 ^[2] * All versions starting from 14.5 before 14.5.2 ^[2]

• Status: This issue has been patched by GitLab. Organizations running affected versions are strongly advised to upgrade to the patched versions (14.3.6, 14.4.4, 14.5.2, or later) to mitigate the risk ^[2].