CVE-2021-22224

Name of the Vulnerable Software and Affected Versions GitLab versions 13.12 through 13.12.5 GitLab versions 14.0.0 through 14.0.1

Description A cross-site request forgery issue in the GraphQL API allows an attacker to call mutations as the victim. The vulnerability is related to the lack of X-CSRF-Token header check in GET requests. This enables a remote attacker to impact data integrity.

Recommendations For GitLab versions 13.12 through 13.12.5, update to version 13.12.6 or later. For GitLab versions 14.0.0 through 14.0.1, update to version 14.0.2 or later. As a temporary workaround, consider restricting access to the GraphQL API until a patch is available.