Detect GitLab SSRF Exploitation (CVE-2021-22175) in Splunk
Detects exploitation of CVE-2021-22175, a Server-Side Request Forgery (SSRF) vulnerability in GitLab. An attacker can craft requests that cause the GitLab server to make HTTP requests to internal or external resources, potentially exposing cloud metadata endpoints, internal services, or facilitating lateral movement. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
SPL Detection Query
index=web OR index=gitlab OR index=proxy
(sourcetype=access_combined OR sourcetype=gitlab:access OR sourcetype=nginx:access OR sourcetype=haproxy)
(
(uri_path IN ("*/import*", "*/hook*", "*/webhook*", "*/integrations*", "*/api/v4/projects/*/import*"))
OR (uri_query IN ("*url=http*", "*remote=http*", "*import_url=*"))
)
| eval decoded_query=urldecode(uri_query)
| eval ssrf_target=case(
match(decoded_query, "169\.254\.169\.254"), "AWS_METADATA",
match(decoded_query, "metadata\.google\.internal"), "GCP_METADATA",
match(decoded_query, "169\.254\.169\.254|fd00:ec2::254"), "CLOUD_METADATA",
match(decoded_query, "^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01]))"), "INTERNAL_RFC1918",
match(decoded_query, "localhost|127\.0\.0\.1|::1"), "LOOPBACK",
true(), "EXTERNAL"
)
| where ssrf_target != "EXTERNAL" OR match(decoded_query, "file://|dict://|gopher://|ftp://")
| stats count AS request_count, earliest(_time) AS first_seen, latest(_time) AS last_seen, values(ssrf_target) AS ssrf_targets, values(uri_path) AS targeted_paths BY src_ip, host
| eval cve="CVE-2021-22175", severity="high"
| sort -request_countSearches GitLab and proxy access logs for SSRF exploitation patterns targeting internal resources, cloud metadata endpoints, or using non-HTTP schemes indicative of SSRF abuse against CVE-2021-22175.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate project imports from external Git repositories via HTTP
- Authorized integration testing by platform engineers pointing webhooks to internal test endpoints
- Penetration testing or red team exercises with documented scope
- GitLab Runner configurations that reference internal artifact or registry servers
Other platforms for CVE-2021-22175
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1GitLab SSRF via Project Import URL - AWS Metadata
Expected signal: Outbound HTTP GET to 169.254.169.254 from GitLab server process; network flow record showing connection to 169.254.0.0/16 from GitLab host; GitLab production.log entry with import_url containing metadata endpoint
- Test 2GitLab SSRF via Webhook Creation - Internal Service Probe
Expected signal: Network connection from GitLab server to 192.168.1.1:8500 visible in network flow data; GitLab web_hooks table entry with internal IP URL; web server access log showing webhook API POST with internal URL in body
- Test 3GitLab SSRF via Remote Mirror - Loopback File Access
Expected signal: GitLab application log entries showing file:// or gopher:// scheme in remote mirror URL; database record in remote_mirrors table with dangerous URL scheme; error log entries from GitLab attempting to process the invalid/dangerous URL
Unlock Pro Content
Get the full detection package for CVE-2021-22175 including response playbook, investigation guide, and atomic red team tests.