PT-2021-4075 · Gitlab · Gitlab
Mysteron
·
Published
2021-01-05
·
Updated
2026-04-11
·
CVE-2021-22175
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
GitLab versions 10.5 and later
Description
The issue is a server-side request forgery (SSRF) in GitLab. When requests to the internal network for webhooks are enabled, an unauthenticated attacker can exploit this issue, even on a GitLab instance where registration is disabled. The vulnerability is caused by insecure handling of requests, potentially allowing an attacker to access confidential data and disrupt service.
Recommendations
GitLab versions 10.5 and later: Disable requests to the internal network for webhooks to mitigate the risk of server-side request forgery.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gitlab