Vulnerabilities > CVE-2018-8801 - Server-Side Request Forgery (SSRF) vulnerability in Gitlab
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
GitLab Community and Enterprise Editions version 8.3 up to 10.x before 10.3 are vulnerable to SSRF in the Services and webhooks component.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family | FreeBSD Local Security Checks |
NASL id | FREEBSD_PKG_DC0C201C31DA11E8AC53D8CB8ABF62DD.NASL |
description | GitLab reports : SSRF in services and web hooks There were multiple server-side request forgery issues in the Services feature. An attacker could make requests to servers within the same network of the GitLab instance. This could lead to information disclosure, authentication bypass, or potentially code execution. This issue has been assigned CVE-2018-8801. Gitlab Auth0 integration issue There was an issue with the GitLab omniauth-auth0 configuration which resulted in the Auth0 integration signing in the wrong users. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 108704 |
published | 2018-03-29 |
reporter | This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/108704 |
title | FreeBSD : Gitlab -- multiple vulnerabilities (dc0c201c-31da-11e8-ac53-d8cb8abf62dd) |
References
- https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md
- https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md
- https://gitlab.com/gitlab-org/gitlab-ce/issues/41642
- https://gitlab.com/gitlab-org/gitlab-ce/issues/41642
- https://hackerone.com/reports/301924
- https://hackerone.com/reports/301924