External risk intelligence

GitLab Webhook Server-Side Request Forgery Vulnerability

CVE advisoryKnown Exploit

CVE-2021-22175

A server-side request forgery vulnerability in GitLab enables unauthenticated attackers to make unauthorized requests to an organization's internal network. This could expose sensitive systems and data, leading to operational disruption and potential breaches. The business risk involves unauthorized access to internal

5Halo Surface Signal

Server-Side Request Forgery

Gitlab

10.5.0 to before 13.6.713.7.0 to before 13.7.713.8.0 to before 13.8.4

External exposure likelihood

Halo Surface Signal score for CVE-2021-22175

GitLab is a server-based application frequently deployed as a public-facing service for web hosting, CI/CD pipelines, and source code management. Because the vulnerability exists within a core function of the product and is reachable by an unauthenticated attacker, the deployment pattern inherently places the vulnerable surface on the internet in standard configurations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability within GitLab's webhook functionality allows attackers to make unauthorized requests to an organization's internal network. This flaw can be exploited by unauthenticated individuals, potentially exposing sensitive internal systems and data. The impact could disrupt operations and compromise confidential information.

  • Vulnerable: GitLab webhook feature
  • Flaw: Unauthorized internal network requests
  • Impact: Data compromise, operational disruption

Attack Path

How an attacker could exploit the issue

A server-side request forgery vulnerability in GitLab allows an unauthenticated attacker to access internal network resources when webhook requests are enabled. This exploit can occur even if user registration is disabled on the GitLab instance. The vulnerability impacts organizations by potentially exposing sensitive internal systems and data to unauthorized access.

  • Webhook requests to the internal network are enabled.
  • An unauthenticated attacker sends a crafted request.
  • Attacker gains access to internal network resources.

Live Threat

Current exploitation, exposure, and threat context

A critical server-side request forgery vulnerability exists in GitLab. This flaw allows an unauthenticated attacker to execute malicious requests to an organization's internal network, even if user registration is disabled. The exploitation of this vulnerability could lead to unauthorized access to sensitive internal systems and data, posing a significant business risk.

  • Attackers need no special skill.
  • No access or conditions are required.
  • Business risk is high.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A critical server-side request forgery vulnerability has been identified in GitLab that could allow an unauthenticated attacker to exploit internal network requests for webhooks. This issue impacts GitLab instances where webhook internal network requests are enabled. Organizations should take immediate action to address this vulnerability to mitigate potential business risks.

  • Find GitLab instances with webhook internal network requests enabled.
  • Reduce exposure or isolate affected systems.
  • Apply vendor fixes, verify implementation, and monitor systems.

Frequently asked questions

What is GitLab and what is its primary function?

GitLab is a web-based DevOps platform that provides a centralized environment for software development. It facilitates source code management, CI/CD pipelines, issue tracking, and project collaboration, streamlining the entire software development lifecycle.

How does CVE-2021-22175 function as a Server-Side Request Forgery (SSRF)?

CVE-2021-22175 is a critical SSRF vulnerability. It enables an unauthenticated attacker to trick the GitLab server into making requests to internal network resources, effectively allowing the attacker to probe and potentially access sensitive systems as if they were the server itself.

What specific configuration enables the exploitation path for CVE-2021-22175?

The vulnerability can be exploited when requests to the internal network for webhooks are enabled within GitLab. This condition allows an unauthenticated attacker to leverage the webhook functionality to perform SSRF attacks, even if user registration on the instance is disabled.

What is the significance of CVE-2021-22175 according to the Halo Surface Signal?

The Halo Surface Signal indicates that CVE-2021-22175 is 'Very likely' exploitable. This is because GitLab is often deployed as a public-facing service, and the vulnerability resides in a core function accessible by unauthenticated attackers, placing a significant attack surface in a potentially exposed environment.

What practical steps should be taken to address the GitLab SSRF vulnerability?

Organizations should identify GitLab instances with internal network requests for webhooks enabled. It's advisable to reduce the exposure of these instances or isolate them. Applying vendor-provided fixes, verifying their successful implementation, and continuously monitoring affected systems are crucial steps to mitigate potential business risks.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified