High-risk vulnerabilities have been exposed for six months, and half of the gitlab server is still not repaired.

In recent years, as the open source technology is in full swing, all walks of life have begun to choose to embrace open source, bringing new vitality to the industrial development upgrade.

However, it is undeniable that the security of open source technology is still a difficult problem, and even has begun to affect the healthy development of open source ecology. As an open form, open source technology is more focused on technology, and ignore whether the technology itself is safe, so it is not active for vulnerability repair.

According to the report released by Rapid7, a high-risk loophole that has been disclosed for more than half a year, until now there is still more than a half of the Gitlab server still not repaired. Criminals can use this known vulnerability to launch cyber attacks.

Here is the basic situation of this vulnerability first.

On April 14, 2021, safety researchers found a Gitlab server remote command to perform vulnerabilities, number CVE-2021-22205, CVSSV3 rating is 10.0. This vulnerability can be utilized without authentication, and the community version (CE) and Enterprise Edition (EE) are affected.

On April 15, GitLab officially issued a safe update to fix this gitlab command to perform vulnerabilities (CVE-2021-22205), due to the correct processing of EXIFTOOL in gitlab without the correct processing of the incoming image file, the attacker passed uploaded Malicious pictures, you can perform any command on the target server, you can also access the repository, or even delete, modify, and steal the source code.

This vulnerability is being used

Since many gitlab servers have not repaired vulnerabilities, the criminals have a moving machine. In June 2021, the threat organization began using the vulnerability, and they created a new account in the Gitlab server and gave administrator privileges. In this process, attackers do not need to verify or use CSRF tokens, and do not even need a valid HTTP endpoint to use vulnerabilities.

In order to further determine the potential impact of the vulnerability, the International Well-developed Network Security Company Rapid7 starts investigating the number of Gitlab servers that have not been repaired by the vulnerability.

The survey was surprised. Data display, until November 2021, more than 50% of the 6W Gitlab server surveyed, no targeted repair of this vulnerability; 29% is uncertain whether there is a vulnerability because the version string of these servers cannot be extracted.

This means that only 20% of the Gitlab server is determined to fix the vulnerability. This is just the repair of this vulnerability, then other high-risk vulnerabilities, how many repairs are there?

In the report, security researchers advise users to upgrade Gitlab Community Edition (CE) and Enterprise Edition (EE) to 13.10.3, 13.9.6 and 13.8.8 for protection.