Unauthenticated GitLab SSRF - CI Lint API [CVE-2021-22214]

[Prince-Mendiratta]

Vulnerability Details
This is based on SSRF due to CVE-2021-22214.
When requests to the internal network for webhooks are enabled, a server-side request forgery (SSRF) vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited.

Our team at Astra Security would like to contribute the scan rule for detecting this vulnerability.

Vulnerable GitLab Versions

• 10.5 - 13.10.5
• 13.11 - 13.11.5
• 13.12 - 13.12.2

GitLab Versions the script has been tested on -

1. latest (14.1.0, at the time of release) -> Not Vulnerable (401 Not Authorized)
2. 13.11.7 -> Not Vulnerable (401 Not Authorized)
3. 13.11.2 -> Vulnerable
4. 12.7.4 -> Vulnerable

Testing
To demonstrate this vulnerability, we have simulated the attack scenario at https://hypejab.herokuapp.com/api/v4/ci/lint . It can be used for testing purposes and an actual Vulnerable GitLab Instance should also respond in a similar manner.

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-22214
• https://docs.gitlab.com/ee/api/lint.html
• https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22214.json

The script has been tailored for both, Nashorn and Graal.js engines.

Signed-off by: prince.mendiratta@getastra.com

[thc202]

It's not necessary to raise an issue if you are going to open a pull request.