GitLab ExifTool uploaded image command injection

Added: 11/24/2021

Background

GitLab is an open-source software development platform with built-in version control and issue tracking.

Problem

A remote attacker can execute arbitrary commands by uploading a specially crafted image to GitLab, which executes injected Perl code when ExifTool parses DjVu annotations.

Resolution

Upgrade to GitLab 13.8.8, 13.9.6, or 13.10.3 or higher.

References

https://gitlab.com/gitlab-org/gitlab/-/issues/327121
https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/

Back to exploit index