Server-side request forgery is a class of web security vulnerability that allows, for example, an attacker to force a vulnerable server to make a connection to internal services within an organization’s infrastructure.
Researcher ‘Vin01’ discovered that GitLab’s CI Lint API, a library related to code handling and managing developer workflows, was flawed.
After discovering the problem last December, the researcher reported it to GitLab, which responded by publishing a temporary fix in February.
GitLab followed up with a more complete patch early this month, clearing the way for Vin01 to publish a detailed technical write-up of their findings.
Webhook, line, sinker
The affected CI Lint API is used to validate CI/CD YAML configuration for GitLab instances. A flaw in the technology, if left unaddressed, created a means for miscreants to steal sensitive info such as passwords and cloud service credentials, Vin01 told The Daily Swig.
“Installations which had a particular configuration in place to allow internal network requests from GitLab were vulnerable to server-side request forgery (SSRF), where an attacker could have sent a request to internal servers by jumping from the public facing GitLab servers.
“These internal servers are usually not exposed to the internet as they are only meant to be used internally and may contain sensitive information like passwords, API keys, cloud service credentials, which could have been stolen as a result of this vulnerability.”
Public facing GitLab servers are quite common, and the issue in hand was exacerbated because no authentication was required in order to exploit it.
“In my research I saw hundreds of vulnerable GitLab servers including but not limited to many open source projects, government departments and universities which use GitLab for hosting their code and integrate it with their infrastructure,” Vin01 added.
The security researcher has put together a small script to test if a GitLab server is vulnerable, available on GitHub.
Vin01 praised GitLab’s handling of the disclosure process, adding that even though they have since privately warned many affected organizations about their exposure to the flaw, there are still many vulnerable instances.