CVE-2021-39935 CrowdStrike LogScale · LogScale

Detect GitLab SSRF via Import Feature (CVE-2021-39935) in CrowdStrike LogScale

CVE-2021-39935 is a Server-Side Request Forgery (SSRF) vulnerability in GitLab Community and Enterprise Editions. An attacker can abuse GitLab's project import or integration features to cause the server to issue arbitrary HTTP requests to internal network resources, enabling reconnaissance, metadata service access, and potential lateral movement within cloud-hosted or on-premises GitLab deployments. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Reconnaissance Discovery Lateral Movement

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=NetworkConnectIP4
| NetworkRemoteIP in ("169.254.169.254", "100.100.100.200", "127.0.0.1")
  OR (NetworkRemoteIP startswith "10." AND ImageFileName = "/usr/bin/gitlab*")
  OR (NetworkRemoteIP startswith "192.168." AND ImageFileName = "/usr/bin/gitlab*")
| join {#event_simpleName=ProcessRollup2 | ImageFileName=/gitlab/ | fields ProcessStartTime, UserName, CommandLine, ParentProcessId, TargetProcessId} key=[TargetProcessId], field=[ContextProcessId]
| eval ssrf_risk=if(NetworkRemoteIP=="169.254.169.254" OR NetworkRemoteIP=="100.100.100.200", "critical", "high")
| table _time, ComputerName, UserName, ImageFileName, CommandLine, NetworkRemoteIP, NetworkRemotePort, ssrf_risk
| sort by ssrf_risk asc, _time desc
high severity medium confidence

CrowdStrike Falcon query detecting GitLab process-level network connections to internal metadata and RFC-1918 addresses, indicative of SSRF exploitation.

Data Sources

CrowdStrike Falcon EDRProcess telemetryNetwork connection events

Required Tables

NetworkConnectIP4ProcessRollup2

False Positives & Tuning

  • GitLab runner processes legitimately connecting to internal Docker daemon or registry
  • GitLab backup processes accessing internal storage endpoints
  • GitLab Pages serving content from internal network sources in on-premises deployments

Other platforms for CVE-2021-39935

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SSRF via GitLab Project Import URL — Cloud Metadata

    Expected signal: Outbound network connection from GitLab server process to 169.254.169.254:80; HTTP GET request logged in GitLab production.log with import_url parameter containing metadata IP

  2. Test 2SSRF via GitLab Webhook Integration — Internal Host

    Expected signal: Network connection attempt from GitLab process to 192.168.1.1:6379; webhook creation logged in GitLab audit log with attacker-supplied internal URL

  3. Test 3SSRF via GitLab External Issue Tracker Integration — GCP Metadata

    Expected signal: DNS lookup for metadata.google.internal followed by HTTP GET from GitLab server; integration update recorded in GitLab application log

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2021-39935 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0043ReconnaissanceTA0007DiscoveryTA0008Lateral Movement

Related Techniques

T1590Gather Victim Network InformationT1552.005Cloud Instance Metadata APIT1018Remote System Discovery

Same Tactic: Reconnaissance

Popular Detections