CVE

CVE-2021-22205

3field notes · 0digests

Field notes

Analysis · May 20, 2026 · analysis-desk
When the build tool, the GitHub Action, and sudo are the vulnerability
tj-actions, a poisoned GitHub Action; Sudo's chroot bug; 7-Zip's Mark-of-the-Web bypass; Git, FreeType, Erlang/OTP, PHPMailer, Vite, jQuery. The developer-tooling and dependency entries are the supply chain itself getting exploited, the layer beneath the apps you ship.
Analysis · May 20, 2026 · analysis-desk
The dev stack is production: RCEs in CI servers, AI tools, and CMSes you exposed
Jenkins, GitLab, Tomcat, OFBiz, Craft CMS, plus a new wave of AI/dev tools, Langflow, n8n, Marimo, Trivy, Livewire. The DevTools and supply-chain entries share a blind spot: the development and automation stack is internet-facing production infrastructure, and it gets exploited like it.
Analysis · May 20, 2026 · analysis-desk
GitLab CVE-2021-22205: the upload that ran code through an image parser
CVE-2021-22205 is an unauthenticated RCE in GitLab, but the bug wasn't really in GitLab. It was in ExifTool, the metadata library GitLab used to process uploaded images. Upload a crafted file, ExifTool parses it, code runs. Image parsers are a recurring RCE vector.