Which SIEM platforms have a CVE-2021-39935 detection rule?

df00tech provides CVE-2021-39935 (GitLab SSRF via Import Feature (CVE-2021-39935)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect GitLab SSRF via Import Feature (CVE-2021-39935) (CVE-2021-39935)?

Detecting GitLab SSRF via Import Feature (CVE-2021-39935) requires the following data sources: CommonSecurityLog, W3CIISLog, AzureDiagnostics.

What severity and confidence is the CVE-2021-39935 detection?

The CVE-2021-39935 detection is rated high severity with medium confidence.

What are common false positives for CVE-2021-39935?

Common false positives for CVE-2021-39935 include: Legitimate GitLab integrations that import from internal artifact repositories may trigger this rule; Security scanners or vulnerability assessment tools probing GitLab endpoints; Misconfigured webhook targets pointing to RFC-1918 addresses for internal CI/CD pipelines.

CVE-2021-39935 Google Chronicle · YARA-L

Detect GitLab SSRF via Import Feature (CVE-2021-39935) in Google Chronicle

CVE-2021-39935 is a Server-Side Request Forgery (SSRF) vulnerability in GitLab Community and Enterprise Editions. An attacker can abuse GitLab's project import or integration features to cause the server to issue arbitrary HTTP requests to internal network resources, enabling reconnaissance, metadata service access, and potential lateral movement within cloud-hosted or on-premises GitLab deployments. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic: Reconnaissance Discovery Lateral Movement

YARA-L Detection Query

Google Chronicle (YARA-L)

yaral

rule gitlab_ssrf_cve_2021_39935 {
  meta:
    author = "df00tech"
    description = "Detects SSRF exploitation attempts against GitLab import/integration APIs (CVE-2021-39935)"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $req.metadata.event_type = "NETWORK_HTTP"
    $req.target.hostname = /gitlab/
    (
      $req.target.url = /\/api\/v4\/projects/ or
      $req.target.url = /\/import/ or
      $req.target.url = /\/integrations/
    )
    (
      $req.target.url = /169\.254\.169\.254/ or
      $req.target.url = /metadata\.google\.internal/ or
      $req.target.url = /100\.100\.100\.200/ or
      $req.target.url = /127\.0\.0\.1/ or
      $req.target.url = /localhost/
    )

  condition:
    $req
}

high severity medium confidence

Chronicle YARA-L rule detecting SSRF requests to GitLab API endpoints targeting internal or metadata IP addresses.

Data Sources

Web proxy logsHTTP network telemetryCloud audit logs

Required Tables

NETWORK_HTTP

False Positives & Tuning

Internal GitLab administration tools that legitimately query metadata endpoints
Developer testing of GitLab import functionality against local instances
Security scanning tools generating SSRF-pattern traffic for audit purposes

Other platforms for CVE-2021-39935

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1SSRF via GitLab Project Import URL — Cloud Metadata
Expected signal: Outbound network connection from GitLab server process to 169.254.169.254:80; HTTP GET request logged in GitLab production.log with import_url parameter containing metadata IP
Test 2SSRF via GitLab Webhook Integration — Internal Host
Expected signal: Network connection attempt from GitLab process to 192.168.1.1:6379; webhook creation logged in GitLab audit log with attacker-supplied internal URL
Test 3SSRF via GitLab External Issue Tracker Integration — GCP Metadata
Expected signal: DNS lookup for metadata.google.internal followed by HTTP GET from GitLab server; integration update recorded in GitLab application log

Last updated: 2026-06-19 Research depth: standard

References (2)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2021-39935 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0043Reconnaissance TA0007Discovery TA0008Lateral Movement

Related Techniques

T1590Gather Victim Network Information T1552.005Cloud Instance Metadata API T1018Remote System Discovery

Detect GitLab SSRF via Import Feature (CVE-2021-39935) in Google Chronicle

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2021-39935

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Reconnaissance

Popular Detections

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2021-39935

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Reconnaissance

Popular Detections

Get new detections in your inbox