CVE-2021-39935
📋 TL;DR
This vulnerability allows unauthorized external users to perform Server Side Request Forgery (SSRF) attacks through GitLab's CI Lint API. Attackers can make the GitLab server send requests to internal systems, potentially accessing sensitive data or services. All GitLab CE/EE instances within affected version ranges are vulnerable.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, exfiltrate sensitive data, or pivot to other systems by exploiting SSRF to reach internal networks.
Likely Case
Unauthorized users could probe internal networks, access metadata services, or interact with internal APIs that shouldn't be exposed externally.
If Mitigated
With proper network segmentation and access controls, impact is limited to the GitLab server's network segment.
🎯 Exploit Status
SSRF exploitation is well-documented and tools exist to automate attacks. The CI Lint API endpoint is publicly accessible by default.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.3.6, 14.4.4, or 14.5.2
Vendor Advisory: https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39935.json
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 14.3.6, 14.4.4, or 14.5.2 depending on your current version. 3. Restart GitLab services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict CI Lint API Access
allLimit access to the CI Lint API endpoint using network controls or authentication.
# Configure firewall rules to restrict access to /api/v4/ci/lint
# Use GitLab's application settings to require authentication for API endpoints
Disable External CI/CD Features
allTemporarily disable CI/CD features for external users if not required.
# In GitLab admin settings, disable 'Allow external users to access CI/CD'
🧯 If You Can't Patch
- Implement strict network segmentation to isolate GitLab from internal services
- Deploy a WAF with SSRF protection rules to block malicious requests
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via admin panel or command line. If version is between affected ranges, the system is vulnerable.Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
After patching, verify version is 14.3.6, 14.4.4, or 14.5.2 or higher. Test CI Lint API with SSRF payloads to confirm they're blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /api/v4/ci/lint endpoint
- Outbound requests from GitLab to internal IP ranges
- HTTP requests with unusual headers or parameters
Network Indicators:
- GitLab server making unexpected outbound connections
- Traffic to internal services from GitLab's IP
SIEM Query:
source="gitlab.logs" AND (uri_path="/api/v4/ci/lint" AND (user_agent="*curl*" OR user_agent="*python*" OR user_agent="*scan*"))🔗 References
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39935.json
- https://gitlab.com/gitlab-org/gitlab/-/issues/346187
- https://hackerone.com/reports/1236965
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39935.json
- https://gitlab.com/gitlab-org/gitlab/-/issues/346187
- https://hackerone.com/reports/1236965
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39935
