CVE-2021-32635: Code Injection

May 28, 2021 (updated April 22, 2022)

An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container. Only action commands against library:// URIs are affected. Other commands such as pull / push respect the configured remote endpoint.

References

nvd.nist.gov/vuln/detail/CVE-2021-32635

Detect and mitigate CVE-2021-32635 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →