Gitlab CI Lint SSRF
Description
GitLab's CI Lint API endpoint provides functionality to validate CI/CD YAML configuration files and supports fetching configurations from remote URLs. This endpoint is accessible without authentication and does not properly validate or restrict the destination of remote requests. An unauthenticated attacker can exploit this functionality to perform Server-Side Request Forgery (SSRF) attacks, causing the GitLab server to make arbitrary HTTP requests to internal or external resources.
Remediation
Upgrade GitLab to the latest patched version that addresses this vulnerability. Consult GitLab's security advisories to identify the specific version that contains the fix for this SSRF issue.
If immediate patching is not possible, implement the following compensating controls:
1. Restrict access to the CI Lint API endpoint (/api/v4/ci/lint) using web application firewall rules or reverse proxy configurations to allow access only from trusted IP addresses or authenticated users.
2. Implement network segmentation to limit the GitLab server's ability to access sensitive internal resources.
3. Monitor and log all requests to the CI Lint API endpoint for suspicious activity, particularly requests attempting to access internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or cloud metadata endpoints.
4. Consider disabling the CI Lint API endpoint entirely if it is not required for your operations.