CVE-2021-22175 Elastic Security · Elastic

Detect GitLab SSRF Exploitation (CVE-2021-22175) in Elastic Security

Detects exploitation of CVE-2021-22175, a Server-Side Request Forgery (SSRF) vulnerability in GitLab. An attacker can craft requests that cause the GitLab server to make HTTP requests to internal or external resources, potentially exposing cloud metadata endpoints, internal services, or facilitating lateral movement. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Reconnaissance Discovery Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip with maxspan=5m
  [network where event.category == "network" and event.type == "connection"
   and (
     url.path : ("*/import*", "*/hook*", "*/webhook*", "*/integrations*")
     or url.query : ("*url=http*", "*import_url=*", "*remote=http*")
   )
   and http.response.status_code in (200, 302, 400, 403, 500)
  ]
  [network where event.category == "network"
   and (
     destination.ip : ("169.254.169.254", "127.0.0.1", "10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12")
     or dns.question.name : ("metadata.google.internal", "169.254.169.254")
   )
   and source.ip : ("*gitlab*") 
  ]
high severity high confidence

EQL sequence detection correlating inbound SSRF-targeted requests to GitLab with subsequent outbound connections from the GitLab server to internal or cloud metadata IP ranges, confirming successful SSRF exploitation.

Data Sources

Elastic Network EventsPacketbeatElastic Agent Network Monitoring

Required Tables

logs-*packetbeat-*network-*

False Positives & Tuning

  • GitLab's own internal health checks to loopback addresses
  • Legitimate webhook deliveries where the receiving server is on a private network
  • Authorized cloud metadata access by GitLab for cloud-native deployments
  • Security monitoring agents that probe internal endpoints from the GitLab host

Other platforms for CVE-2021-22175

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1GitLab SSRF via Project Import URL - AWS Metadata

    Expected signal: Outbound HTTP GET to 169.254.169.254 from GitLab server process; network flow record showing connection to 169.254.0.0/16 from GitLab host; GitLab production.log entry with import_url containing metadata endpoint

  2. Test 2GitLab SSRF via Webhook Creation - Internal Service Probe

    Expected signal: Network connection from GitLab server to 192.168.1.1:8500 visible in network flow data; GitLab web_hooks table entry with internal IP URL; web server access log showing webhook API POST with internal URL in body

  3. Test 3GitLab SSRF via Remote Mirror - Loopback File Access

    Expected signal: GitLab application log entries showing file:// or gopher:// scheme in remote mirror URL; database record in remote_mirrors table with dangerous URL scheme; error log entries from GitLab attempting to process the invalid/dangerous URL

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2021-22175 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0043ReconnaissanceTA0007DiscoveryTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1552.007Container APIT1016System Network Configuration DiscoveryT1083File and Directory Discovery

Same Tactic: Reconnaissance

Popular Detections