GitLab CE/EE Improper Neutralization of CRLF Sequences Vulnerability Allows Unintended Internal Requests

A vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 8.11 prior to 18.7.6, 18.8 prior to 18.8.6, and 18.9 prior to 18.9.2. This vulnerability could have enabled an authenticated user to make unintended internal requests through proxy environments, under certain conditions. The issue arises from improper input validation in the import functionality, which could have been exploited to manipulate internal request handling.

Impact

Exploitation of this vulnerability could lead to unintended internal requests being made through proxy environments, potentially allowing for internal resources to be accessed or manipulated in ways not intended by the user.

Remediation

Users are advised to upgrade to GitLab versions 18.9.2, 18.8.6, or 18.7.6. Instructions for updating GitLab can be found on the GitLab Update page. For GitLab Runner, see the Updating the Runner page.