CVE-2021-22218

Description

All versions of GitLab CE/EE starting from 12.8 before 13.10.5, all versions starting from 13.11 before 13.11.5, and all versions starting from 13.12 before 13.12.2 were affected by an issue in the handling of x509 certificates that could be used to spoof author of signed commits.

How to fix CVE-2021-22218

To remediate CVE-2021-22218, upgrade the affected package to a fixed version below.

Bitnami/gitlab—upgrade to 13.10.5 or later

Is CVE-2021-22218 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 12.8.0, < 13.10.5, >= 13.11.0, < 13.11.5, >= 13.12.0, < 13.12.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW2.6	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

References (4)

WEBgitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22218.json
WEBgitlab.com/gitlab-org/gitlab/-/issues/297665
WEBhackerone.com/reports/1077019
WEBnvd.nist.gov/vuln/detail/CVE-2021-22218