CVE-2021-22175
📋 TL;DR
CVE-2021-22175 is a server-side request forgery (SSRF) vulnerability in GitLab that allows unauthenticated attackers to make requests to internal network resources when webhooks are configured. This affects all GitLab instances with internal network webhook requests enabled, even those with registration disabled. Attackers can potentially access sensitive internal services.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of internal network services accessible from the GitLab server, data exfiltration, or lateral movement to other systems.
Likely Case
Unauthorized access to internal HTTP/HTTPS services, information disclosure from internal APIs or management interfaces.
If Mitigated
Limited to accessing only explicitly allowed internal services with proper network segmentation and authentication.
🎯 Exploit Status
Exploitation requires webhook configuration that allows internal network requests. Public exploit scripts exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.9.4, 13.8.6, and 13.7.7
Vendor Advisory: https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-9-4-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 13.9.4, 13.8.6, or 13.7.7. 3. Restart GitLab services. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable internal network webhook requests
linuxDisable the setting that allows webhooks to make requests to internal network resources
gitlab-rails console
ApplicationSetting.current.update(allow_local_requests_from_web_hooks_and_services: false)
🧯 If You Can't Patch
- Disable 'Allow requests to the local network from web hooks and services' in Admin Area > Settings > Network
- Implement network segmentation to restrict GitLab server access to only necessary internal services
🔍 How to Verify
Check if Vulnerable:
Check GitLab version and verify if 'Allow requests to the local network from web hooks and services' is enabled in Admin settings.Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Confirm GitLab version is 13.9.4, 13.8.6, 13.7.7 or later, and test that internal network requests from webhooks are properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unusual webhook activity to internal IP addresses
- Failed authentication attempts from webhook sources
Network Indicators:
- HTTP requests from GitLab server to unexpected internal services
- Port scanning activity originating from GitLab server
SIEM Query:
source="gitlab.log" AND ("webhook" AND "internal_network" OR "127.0.0.1" OR "localhost" OR "192.168." OR "10." OR "172.16.")🔗 References
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22175.json
- https://gitlab.com/gitlab-org/gitlab/-/issues/294178
- https://hackerone.com/reports/1059596
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22175.json
- https://gitlab.com/gitlab-org/gitlab/-/issues/294178
- https://hackerone.com/reports/1059596
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22175
