Detect GitLab SSRF Exploitation (CVE-2021-22175) in Google Chronicle
Detects exploitation of CVE-2021-22175, a Server-Side Request Forgery (SSRF) vulnerability in GitLab. An attacker can craft requests that cause the GitLab server to make HTTP requests to internal or external resources, potentially exposing cloud metadata endpoints, internal services, or facilitating lateral movement. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
YARA-L Detection Query
rule gitlab_ssrf_cve_2021_22175 {
meta:
author = "df00tech Detection Engineering"
description = "Detects SSRF exploitation attempts against GitLab CVE-2021-22175"
severity = "HIGH"
priority = "HIGH"
cve = "CVE-2021-22175"
mitre_attack = "T1190"
events:
$req.metadata.event_type = "NETWORK_HTTP"
$req.target.application = /gitlab/i
(
$req.target.url.path = /\/(import|hook|webhook|integrations)/ or
$req.target.url.query = /url=http/ or
$req.target.url.query = /import_url=/ or
$req.target.url.query = /remote=http/
)
(
$req.target.url.query = /169\.254\.169\.254/ or
$req.target.url.query = /metadata\.google\.internal/ or
$req.target.url.query = /localhost/ or
$req.target.url.query = /127\.0\.0\.1/ or
$req.target.url.query = /file:\/\// or
$req.target.url.query = /gopher:\/\// or
$req.target.url.query = /dict:\/\//
)
$req.principal.ip = $src_ip
match:
$src_ip over 5m
outcome:
$risk_score = 75
$event_count = count_distinct($req.metadata.id)
$targeted_paths = array_distinct($req.target.url.path)
condition:
$req
}Chronicle YARA-L rule detecting SSRF exploitation patterns in GitLab HTTP traffic, correlating requests to vulnerable endpoints with internal IP addresses, cloud metadata hostnames, or dangerous URL schemes in request parameters.
Data Sources
Required Tables
False Positives & Tuning
- GitLab administrators testing import functionality with internal repository mirrors
- Authorized red team exercises with pre-approved SSRF test cases
- GitLab Runner agents accessing internal package registries through the GitLab host
- Monitoring agents performing synthetic transactions against GitLab APIs
Other platforms for CVE-2021-22175
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1GitLab SSRF via Project Import URL - AWS Metadata
Expected signal: Outbound HTTP GET to 169.254.169.254 from GitLab server process; network flow record showing connection to 169.254.0.0/16 from GitLab host; GitLab production.log entry with import_url containing metadata endpoint
- Test 2GitLab SSRF via Webhook Creation - Internal Service Probe
Expected signal: Network connection from GitLab server to 192.168.1.1:8500 visible in network flow data; GitLab web_hooks table entry with internal IP URL; web server access log showing webhook API POST with internal URL in body
- Test 3GitLab SSRF via Remote Mirror - Loopback File Access
Expected signal: GitLab application log entries showing file:// or gopher:// scheme in remote mirror URL; database record in remote_mirrors table with dangerous URL scheme; error log entries from GitLab attempting to process the invalid/dangerous URL
Unlock Pro Content
Get the full detection package for CVE-2021-22175 including response playbook, investigation guide, and atomic red team tests.