Detect GitLab SSRF Exploitation (CVE-2021-22175) in CrowdStrike LogScale
Detects exploitation of CVE-2021-22175, a Server-Side Request Forgery (SSRF) vulnerability in GitLab. An attacker can craft requests that cause the GitLab server to make HTTP requests to internal or external resources, potentially exposing cloud metadata endpoints, internal services, or facilitating lateral movement. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
LogScale Detection Query
#event_simpleName=NetworkReceiveAccept OR #event_simpleName=NetworkConnectIP4
| filter (RemotePort in [80, 443, 8080, 8443] OR LocalPort in [80, 443, 3000, 8080])
| filter (
HttpPath = /\/(import|hook|webhook|integrations|api\/v4\/projects\/\d+\/import)/
OR HttpQueryString = /url=http|import_url=|remote=http/
)
| eval ssrf_indicator = case(
match(HttpQueryString, "169\\.254\\.169\\.254"), "AWS_METADATA_ENDPOINT",
match(HttpQueryString, "metadata\\.google\\.internal"), "GCP_METADATA_ENDPOINT",
match(HttpQueryString, "localhost|127\\.0\\.0\\.1"), "LOOPBACK_ADDRESS",
match(HttpQueryString, "file://|gopher://|dict://"), "DANGEROUS_SCHEME",
match(RemoteIP, "^(10\\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01]))"), "INTERNAL_RFC1918",
true(), null
)
| filter ssrf_indicator != null
| stats count() AS request_count, earliest(timestamp) AS first_seen, latest(timestamp) AS last_seen, values(ssrf_indicator) AS ssrf_types, values(HttpPath) AS paths BY RemoteIP, LocalIP, ComputerName
| eval cve = "CVE-2021-22175"
| sort -request_countCrowdStrike Falcon LogScale query detecting network activity consistent with SSRF exploitation of CVE-2021-22175 in GitLab, identifying connections where HTTP parameters reference internal IPs, metadata services, or dangerous URL schemes.
Data Sources
Required Tables
False Positives & Tuning
- Scheduled repository mirror syncs targeting internal GitLab instances
- CI/CD automation that passes internal service URLs as webhook callback addresses
- Security assessment tooling with authorized scope including SSRF testing
- GitLab Geo replication processes that reference internal primary node addresses
Other platforms for CVE-2021-22175
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1GitLab SSRF via Project Import URL - AWS Metadata
Expected signal: Outbound HTTP GET to 169.254.169.254 from GitLab server process; network flow record showing connection to 169.254.0.0/16 from GitLab host; GitLab production.log entry with import_url containing metadata endpoint
- Test 2GitLab SSRF via Webhook Creation - Internal Service Probe
Expected signal: Network connection from GitLab server to 192.168.1.1:8500 visible in network flow data; GitLab web_hooks table entry with internal IP URL; web server access log showing webhook API POST with internal URL in body
- Test 3GitLab SSRF via Remote Mirror - Loopback File Access
Expected signal: GitLab application log entries showing file:// or gopher:// scheme in remote mirror URL; database record in remote_mirrors table with dangerous URL scheme; error log entries from GitLab attempting to process the invalid/dangerous URL
Unlock Pro Content
Get the full detection package for CVE-2021-22175 including response playbook, investigation guide, and atomic red team tests.