Report DIVD-2021-00030 - GitLab Unauthenticated RCE Flaw

Report DIVD-2021-00030 - GitLab Unauthenticated RCE Flaw

November 19, by Jeroen van de Weerd


Case lead: Victor Gevers
Researchers: Frank Breedijk, Victor Gevers, Lennaert Oudshoorn


November 7, Censys wrote a blog about a vulnerability in GitLab enterprise and community edition. A researcher named “vakzz” (William Bowling) found this vulnerability on May 7, 2021, and reported it via a bounty program. It appeared that the application was not correctly checking uploaded images. Engineers at GitLab fixed the vulnerability almost immediately. However, a few months later, a report came out on Twitter that a botnet of thousands of compromised GitLab servers was performing DDoS attacks.

GitLab is an open-source code repository system that brings development, operations, and security teams into a single application. It is primarily used by large organizations to manage DevOps and other related software projects.

November 11, DIVD opened case DIVD-2021-00030. We received data from Censys containing vulnerable GitLab servers. We validated a subset of this data and added abuse mail addresses to all unique IP addresses. On November 15, we sent around 8,000 notifications by email. We received multiple good responses and some of them some have said thank you. Some indicated that they had forgotten the update. A few indicated that traces of abuse had been found. We did not send any other notifications and therefore, this case was closed.

More information can be found here: