Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
Gitlab uses an UrlBlocker class to prevent malicious users from exploiting SSRF via the webhook URL. This class validates the URL and blocks everything which is a local network, but before the 11.5.1 version, they didn't think about an IPv6 format, which maps to IPv4: [0:0:0:0:0:ffff:127.0.0.1]. Replacing the part of 127.0.0.1 to any IP address also worked, and this vulnerability made it possible to send requests to the internal network of a GitLab instance. You can read the issue report here: (https://gitlab.com/gitlab-org/gitlab-foss/-/issues/53242 )[https://gitlab.com/gitlab-org/gitlab-foss/-/issues/53242]
A potential attacker could use curl/wget or whatever is installed on the server to exfiltrate useful information about the host and could find a way to open a remote shell to his machine. You can read more and see an exploit for this issue on GitHub: https://github.com/CS4239-U6/gitlab-ssrf