GitLab CE/EE Server-Side Request Forgery Vulnerability in GitHub Importer

A server-side request forgery (SSRF) vulnerability has been identified in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 15.5 prior to 16.9.7, 16.10 prior to 16.10.5, and 16.11 prior to 16.11.2. The vulnerability arises when the GitHub importer fetches markdown image links from issues, allowing an attacker to redirect requests to malicious URLs. This exploitation can be achieved by manipulating the image link to point to an attacker-controlled domain, which the GitLab server would then access, potentially leading to unauthorized data exposure or interaction with internal services.

Impact

Exploitation of this vulnerability allows attackers to send GET requests to arbitrary private network endpoints of the GitLab server, including services on the loopback interface, link-local interface, or private LAN. This could be done without an account on the target GitLab server. Accessing certain network endpoints, like AWS EC2 IMDSv1 or Kubernetes's kubelet readonly port, could result in critical information disclosure.

Reproduction

To reproduce this vulnerability, first enable the 'allow_local_requests_from_web_hooks_and_services' setting on the GitLab server. Then, create a DNS record for 'user-images.githubusercontent.com.attacker.controlled.domain' to point to the server's IP address. After obtaining a TLS certificate for this domain, use a Python script to serve a 1x1 pixel image while redirecting requests to a GitLab Rails metrics endpoint. Once this setup is complete, import a GitHub repository with an issue containing a markdown image link pointing to the crafted domain. During the import process, the GitLab server will fetch the image, triggering the SSRF vulnerability by accessing the redirected URL, which can be used to extract sensitive data from the GitLab server.

Remediation

Users can upgrade to GitLab versions 16.11.2, 16.10.5, or 16.9.7 to address this vulnerability.