GitLab IP Access Restriction Bypass Vulnerability via GraphQL Subscription

A vulnerability exists in GitLab Community Edition and Enterprise Edition, affecting versions 13.12 prior to 17.8.7, 17.9 prior to 17.9.6, and 17.10 prior to 17.10.4. This vulnerability allows users to bypass IP access restrictions and access sensitive information under certain conditions. The issue arises because the application does not enforce IP restrictions on Action Cable or WebSocket requests, enabling unauthorized access to group resources through GraphQL subscriptions.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive group information, such as updates to work items, including epics and issues, thereby bypassing established IP restrictions.

Reproduction

To reproduce this vulnerability, create a public group and project in GitLab. As a group owner, set an IP restriction and then use a different account to access the group. The restricted account will not have access to the group's resources. However, by subscribing to a GraphQL subscription operation related to work items, such as epics or issues, it is possible to receive updates and information from the restricted group, effectively bypassing the IP access controls.

Remediation

Users can disable IP restrictions in their GitLab group settings to prevent this bypass. However, for a permanent fix, GitLab needs to update how IP restrictions are applied to WebSocket requests.