Headline
CVE-2018-19571: SSRF in project integrations (webhook) (#53242) · Issues · GitLab.org / GitLab FOSS · GitLab
GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks.
Skip to content
Open Issue created Oct 26, 2018 by GitLab SecurityBot@gitlab-securitybotReporter
SSRF in project integrations (webhook)
HackerOne report #429147 by nyangawa on 2018-10-26:
Summary: An invalid IP address check could be utilized to access any IP addresses including private IP addresses
Description: The validators in lib/gitlab/url_blocker.rb does not check URL’s like http://[0:0:0:0:0:ffff:127.0.0.1]:6379, which is an IPv6 address but used to map to IPv4. Replacing the 127.0.0.1 part to any other IP addresses is also possible.
Steps To Reproduce:
(Add details for how we can reproduce the issue)
- Create a webhook in any existing projects, with URL like http://[0:0:0:0:0:ffff:127.0.0.1]:9100
- Test the webhook
Supporting Material/References:
I did several harmless tests on Gitlab.com. https://gitlab.com/Nyangawa/www-gitlab-com/hooks/415288
And verified it’s possible in my 11.4.0 Gitlab docker instance.
Impact
Due to some limits of Gitlab’s web hook, this is an blind SSRF issue without full response printed. But it is still possible for an attacker to send POST requests to internal services to do further penetration to the infrastructure.