Unauthenticated GitLab SSRF - CI Lint API [CVE-2021-22214]
Prince-Mendiratta opened this issue · 1 comments
Vulnerability Details
This is based on SSRF due to CVE-2021-22214.
When requests to the internal network for webhooks are enabled, a server-side request forgery (SSRF) vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited.
Our team at Astra Security would like to contribute the scan rule for detecting this vulnerability.
Vulnerable GitLab Versions
- 10.5 - 13.10.5
- 13.11 - 13.11.5
- 13.12 - 13.12.2
GitLab Versions the script has been tested on -
- latest (14.1.0, at the time of release) -> Not Vulnerable (401 Not Authorized)
- 13.11.7 -> Not Vulnerable (401 Not Authorized)
- 13.11.2 -> Vulnerable
- 12.7.4 -> Vulnerable
Testing
To demonstrate this vulnerability, we have simulated the attack scenario at https://hypejab.herokuapp.com/api/v4/ci/lint . It can be used for testing purposes and an actual Vulnerable GitLab Instance should also respond in a similar manner.
References
- https://nvd.nist.gov/vuln/detail/CVE-2021-22214
- https://docs.gitlab.com/ee/api/lint.html
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22214.json
The script has been tailored for both, Nashorn and Graal.js engines.
Signed-off by: prince.mendiratta@getastra.com
It's not necessary to raise an issue if you are going to open a pull request.