Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/240501?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/240501?format=api", "vulnerability_id": "VCID-wm8m-8qsm-tfd2", "summary": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.", "aliases": [ { "alias": "CVE-2021-22205" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371202?format=api", "purl": "pkg:alpm/archlinux/gitlab@13.10.3-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@13.10.3-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/923289?format=api", "purl": "pkg:deb/debian/gitlab@15.10.8%2Bds1-2?distro=sid", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitlab@15.10.8%252Bds1-2%3Fdistro=sid" }, { "url": "http://public2.vulnerablecode.io/api/packages/923255?format=api", "purl": "pkg:deb/debian/gitlab@17.6.5-19?distro=sid", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitlab@17.6.5-19%3Fdistro=sid" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371201?format=api", "purl": "pkg:alpm/archlinux/gitlab@13.10.2-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bdar-wgfe-qqgf" }, { "vulnerability": "VCID-wm8m-8qsm-tfd2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/gitlab@13.10.2-1" } ], "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22205", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.94467", "scoring_system": "epss", "scoring_elements": "0.99996", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.94467", "scoring_system": "epss", "scoring_elements": "0.99997", "published_at": "2026-04-24T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22205" }, { "reference_url": "https://hackerone.com/reports/1154542", "reference_id": "1154542", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-06T19:48:57Z/" } ], "url": "https://hackerone.com/reports/1154542" }, { "reference_url": "https://gitlab.com/gitlab-org/gitlab/-/issues/327121", "reference_id": "327121", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-06T19:48:57Z/" } ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/327121" }, { "reference_url": "https://security.archlinux.org/ASA-202104-1", "reference_id": "ASA-202104-1", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202104-1" }, { "reference_url": "https://security.archlinux.org/AVG-1822", "reference_id": "AVG-1822", "reference_type": "", "scores": [ { "value": "Critical", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1822" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/ruby/webapps/50532.txt", "reference_id": "CVE-2021-22205", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/ruby/webapps/50532.txt" }, { "reference_url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json", "reference_id": "CVE-2021-22205.json", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-06T19:48:57Z/" } ], "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json" }, { "reference_url": "http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html", "reference_id": "GitLab-13.10.2-Remote-Code-Execution.html", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-06T19:48:57Z/" } ], "url": "http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html" }, { "reference_url": "http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html", "reference_id": "GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-06T19:48:57Z/" } ], "url": "http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html" } ], "weaknesses": [], "exploits": [ { "date_added": "2021-11-17", "description": "GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)", "required_action": null, "due_date": null, "notes": null, "known_ransomware_campaign_use": false, "source_date_published": "2021-11-17", "exploit_type": "webapps", "platform": "ruby", "source_date_updated": "2021-11-17", "data_source": "Exploit-DB", "source_url": "" }, { "date_added": "2021-11-03", "description": "GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse passes image file extensions through ExifTool, which improperly validates the image files.", "required_action": "Apply updates per vendor instructions.", "due_date": "2021-11-17", "notes": "https://nvd.nist.gov/vuln/detail/CVE-2021-22205", "known_ransomware_campaign_use": true, "source_date_published": null, "exploit_type": null, "platform": null, "source_date_updated": null, "data_source": "KEV", "source_url": null }, { "date_added": null, "description": "This module exploits an unauthenticated file upload and command\n injection vulnerability in GitLab Community Edition (CE) and\n Enterprise Edition (EE). The patched versions are 13.10.3, 13.9.6,\n and 13.8.8.\n\n Exploitation will result in command execution as the git user.", "required_action": null, "due_date": null, "notes": "Stability:\n - crash-safe\nReliability:\n - repeatable-session\nSideEffects:\n - ioc-in-logs\n - artifacts-on-disk\n", "known_ransomware_campaign_use": false, "source_date_published": "2021-04-14", "exploit_type": null, "platform": "Linux,Unix", "source_date_updated": null, "data_source": "Metasploit", "source_url": "https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/gitlab_exif_rce.rb" } ], "severity_range_score": "9.0 - 10.0", "exploitability": "2.0", "weighted_severity": "9.0", "risk_score": 10.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wm8m-8qsm-tfd2" }