Skip to content

Unauthenticated GitLab SSRF - CI Lint API [CVE-2021-22214] #236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kingthorin merged 1 commit into from
Aug 3, 2021
Merged

Unauthenticated GitLab SSRF - CI Lint API [CVE-2021-22214] #236

kingthorin merged 1 commit into from
Aug 3, 2021

Conversation

@Prince-Mendiratta
Copy link
Contributor

@Prince-Mendiratta Prince-Mendiratta commented Jul 27, 2021
edited
Loading

#235 - Unauthenticated GitLab SSRF - CI Lint API [CVE-2021-22214]

Signed-off by: prince.mendiratta@getastra.com

@thc202 thc202 linked an issue Jul 27, 2021 that may be closed by this pull request
Unauthenticated GitLab SSRF - CI Lint API [CVE-2021-22214] #235
Closed
@thc202
Copy link
Member

thc202 commented Jul 27, 2021

The DCO check is failing, the commits should be fixed up.

@lgtm-com
Copy link

lgtm-com bot commented Jul 27, 2021

This pull request introduces 1 alert when merging 9a16df5 into fd99a0a - view on LGTM.com

new alerts:

  • 1 for Missing variable declaration

@Prince-Mendiratta
Copy link
Contributor Author

Prince-Mendiratta commented Jul 29, 2021

Updated, please review!

kingthorin
kingthorin requested changes Jul 29, 2021
View reviewed changes
@Prince-Mendiratta Prince-Mendiratta mentioned this pull request Jul 29, 2021
Merged
@lgtm-com
Copy link

lgtm-com bot commented Jul 29, 2021

This pull request introduces 3 alerts when merging 655f55f into b8e06ef - view on LGTM.com

new alerts:

  • 3 for Missing variable declaration

kingthorin
kingthorin reviewed Jul 29, 2021
View reviewed changes
kingthorin
kingthorin reviewed Jul 29, 2021
View reviewed changes
@kingthorin
Copy link
Member

kingthorin commented Jul 29, 2021

Thanks for that screenshot by the way, that helps make things make more sense. I wasn't aware that GitLab had a private (or personal) hosted solution. (Though I also didn't bother to read up on the CVE you'd quoted 🤷 )

@Prince-Mendiratta
Copy link
Contributor Author

Prince-Mendiratta commented Jul 29, 2021

Ah, Gitlab offers community and enterprise editions that can be hosted privately and many enterprises prefer to manage their codebase through these private gitlab instances. Moreover, there's a high chance this issue might be prevalent on those instances since upgrading Gitlab can prove to be quite a bit of hassle. 😛

kingthorin
kingthorin approved these changes Jul 30, 2021
View reviewed changes
Copy link
Member

@kingthorin kingthorin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me

@Prince-Mendiratta
Copy link
Contributor Author

Prince-Mendiratta commented Aug 2, 2021

Hi! @thc202 @psiinon any updates?

thc202
thc202 reviewed Aug 2, 2021
View reviewed changes
@Prince-Mendiratta Prince-Mendiratta changed the title Unauthenticated Gitlab SSRF - CI Lint API [CVE-2021-22214] Unauthenticated GitLab SSRF - CI Lint API [CVE-2021-22214] Aug 2, 2021
thc202
thc202 reviewed Aug 2, 2021
View reviewed changes
thc202
thc202 reviewed Aug 2, 2021
View reviewed changes
@thc202
Add Targeted Script for CVE-2021-22214
d275e43 
Signed-off-by: Prince Mendiratta <prince.mendiratta@getastra.com>
@thc202
Copy link
Member

thc202 commented Aug 3, 2021

Fixed up the commits.

@thc202
Copy link
Member

thc202 commented Aug 3, 2021

Thank you!

kingthorin
kingthorin approved these changes Aug 3, 2021
View reviewed changes
Copy link
Member

@kingthorin kingthorin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@kingthorin kingthorin merged commit 58d4a27 into zaproxy:main Aug 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thc202 thc202 thc202 approved these changes

@kingthorin kingthorin kingthorin approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unauthenticated GitLab SSRF - CI Lint API [CVE-2021-22214]

3 participants

@Prince-Mendiratta @thc202 @kingthorin