The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive to federal agencies, demanding they address a five-year-old vulnerability in GitLab that is currently being exploited by attackers. The flaw, a server-side request forgery (SSRF) vulnerability tracked as CVE-2021-39935, was initially patched by GitLab in .
SSRF vulnerabilities allow attackers to cause the server to make requests to unintended locations, potentially exposing sensitive data or enabling further attacks. In this case, the vulnerability within GitLab’s CI Lint API could be exploited by unauthenticated users without any required privileges. GitLab explained at the time of the patch that external users who are not developers should not have access to this API.
CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog on . This triggers a Binding Operational Directive (BOD) 22-01, requiring Federal Civilian Executive Branch (FCEB) agencies to patch their systems within three weeks – by .
While the directive specifically targets federal agencies, CISA strongly encourages all organizations, including those in the private sector, to prioritize securing their systems against active exploitation of CVE-2021-39935. “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned in its alert.
The persistence of this five-year-old vulnerability being actively exploited highlights the ongoing challenge of patching and maintaining security across complex software ecosystems. Even after a vendor releases a fix, vulnerabilities can remain unaddressed due to factors like outdated systems, lack of awareness, or difficulty in applying patches.
Currently, Shodan is tracking over 49,000 devices with a GitLab fingerprint exposed online. A significant majority of these exposed instances – a large number – are located in China. Nearly 27,000 of these instances are using the default port 443, which could indicate a lack of basic security hardening.
GitLab is a widely used DevSecOps platform, boasting more than 30 million registered users and serving over 50% of Fortune 100 companies. High-profile organizations like Nvidia, Airbus, Goldman Sachs, T-Mobile, and Lockheed Martin rely on GitLab for their software development and deployment pipelines. This widespread adoption underscores the potential impact of this vulnerability.
The vulnerability affects all versions of GitLab CE/EE starting from 10.5 before 14.3.6, versions from 14.4 before 14.4.4, and versions from 14.5 before 14.5.2. CISA advises organizations to apply mitigations as instructed by GitLab, follow applicable guidance for cloud services outlined in BOD 22-01, or discontinue use of the product if mitigations are unavailable.
This alert comes just one day after CISA also flagged a critical remote code execution (RCE) vulnerability in SolarWinds Web Help Desk as actively exploited, again ordering government agencies to patch their systems, but with a much shorter timeframe of three days. The convergence of these two alerts underscores the heightened threat landscape and the urgency for organizations to prioritize vulnerability management.
