GitLab EE External Service Interaction Vulnerability Allowing Server-Side Request Forgery

A server-side request forgery (SSRF) vulnerability has been identified in GitLab EE versions 15.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2. This vulnerability allows an attacker to send requests from the GitLab server to unintended external services. The issue arises when a workspace is created, and GitLab parses the .devfile.yaml file. During this process, an internal Golang binary makes HTTP requests to any URI defined in an OpenShift or Kubernetes component, without proper validation of the URL.

Impact

Exploitation of this vulnerability could lead to unauthorized HTTP requests being made to internal resources, potentially causing disruptions or unauthorized access to sensitive information.

Reproduction

To reproduce this vulnerability, log into a GitLab instance with a user account that has access to a project containing a .devfile.yaml file. Edit the .devfile.yaml to include a URL pointing to a remote server capable of receiving HTTP requests, such as an Interactsh endpoint. Once the workspace is created, the GitLab server will parse the devfile and send a request to the specified URL, demonstrating the SSRF vulnerability.

Remediation

This vulnerability has been fixed in GitLab EE version 17.8.2. Users should upgrade to this version or a later release.