GitLab ExifTool RCE (CVE-2021-22205)

Description

GitLab versions prior to the patched releases contain a critical remote code execution vulnerability stemming from improper validation of image files processed by ExifTool. When GitLab processes uploaded images to extract metadata, a flaw in ExifTool's parsing logic allows attackers to inject and execute arbitrary commands by crafting malicious image files with specially formatted metadata.

Remediation

Immediately upgrade GitLab to a patched version that addresses CVE-2021-22205. The following versions contain the fix:

GitLab CE/EE:
• 13.10.3 or later
• 13.9.6 or later
• 13.8.8 or later

Remediation steps:
1. Identify your current GitLab version by running:

gitlab-rake gitlab:env:info

2. Back up your GitLab instance before upgrading
3. Follow the official GitLab upgrade path documentation for your installation method (Omnibus, source, Docker, or Kubernetes)
4. Verify the upgrade was successful and ExifTool has been updated
5. Review system logs for any suspicious image upload activity prior to patching

If immediate patching is not possible, implement temporary mitigations by restricting image upload functionality or implementing strict file type validation at the network perimeter until the upgrade can be completed.

References

Related Vulnerabilities