CVE-2018-19571
published 2019-07-10CVE-2018-19571: GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks.
PriorityP264high7.7CVSS 3.1
AVNACLPRLUINSCCHINAN
EXPLOIT
EPSS
27.98%
97.9th percentile
GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 11.3.11+dfsg-1 (sid) | gitlab 11.3.11+dfsg-1 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 11.4.0 < 11.4.8 | 11.4.8 |
| gitlab | gitlab | >= 11.5.0 < 11.5.1 | 11.5.1 |
| gitlab | gitlab | >= 8.18.0 < 11.3.11 | 11.3.11 |
| gitlab | gitlab_ce | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SSRF via git import_url using IPv6-mapped IPv4 loopback address targeting Redis on port 6379 — the core exploitation primitive for CVE-2018-19571. ↗
- →Monitor for the anomalous User-Agent 'Moana Browser 1.0' in HTTP requests to GitLab, associated with exploit script 49257. ↗
- →Flag POST to /projects with Content-Type application/x-www-form-urlencoded containing the string 'resque:gitlab:queue:system_hook_push' in the body. ↗
- →Detect outbound connections from the GitLab server to 127.0.0.1:6379 (Redis) originating from the git import/clone functionality, indicating SSRF exploitation. ↗
- ·Exploitation requires an authenticated GitLab session; the SSRF in webhooks/import_url is chained with CVE-2018-19585 (CRLF injection) to achieve RCE. Blocking unauthenticated access alone is insufficient. ↗
- ·The exploit targets GitLab running on non-standard port 5080 in the tested environment; detection rules should not be limited to port 80/443. ↗
- ·Affected versions span a wide range (8.18 through 11.5.0); patched versions are 11.3.11, 11.4.8, and 11.5.1. Ensure version checks cover all branches. ↗
CVSS provenance
nvdv3.17.7HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vendor_debian7.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GitLab
CVE-2018-19571: GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks
vendor_gitlab·2019-07-10·CVSS 7.7
CVE-2018-19571 [HIGH] CWE-918 CVE-2018-19571: GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks
CVE-2018-19571: GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks.
Debian
CVE-2018-19571: gitlab - GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 1...
vendor_debian·2018·CVSS 7.7
CVE-2018-19571 [HIGH] CVE-2018-19571: gitlab - GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 1...
GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks.
Scope: local
sid: resolved (fixed in 11.3.11+dfsg-1)
GHSA
GHSA-hrrx-p8r8-gj4g: GitLab CE/EE, versions 8
ghsa_unreviewed·2022-05-24
CVE-2018-19571 [HIGH] CWE-918 GHSA-hrrx-p8r8-gj4g: GitLab CE/EE, versions 8
GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks.
No detection rules found.
Exploit-DB
GitLab 11.4.7 - RCE (Authenticated) (2)
exploitdb·2020-12-24·CVSS 7.7
CVE-2018-19585 [HIGH] GitLab 11.4.7 - RCE (Authenticated) (2)
GitLab 11.4.7 - RCE (Authenticated) (2)
---
# Exploit Title: GitLab 11.4.7 RCE (POC)
# Date: 24th December 2020
# Exploit Author: Norbert Hofmann
# Exploit Modifications: Sam Redmond, Tam Lai Yin
# Original Author: Mohin Paramasivam
# Software Link: https://gitlab.com/
# Environment: GitLab 11.4.7, community edition
# CVE: CVE-2018-19571 + CVE-2018-19585
#!/usr/bin/python3
import requests
from bs4 import BeautifulSoup
import argparse
import random
parser = argparse.ArgumentParser(description='GitLab 11.4.7 RCE')
parser.add_argument('-u', help='GitLab Username/Email', required=True)
parser.add_argument('-p', help='Gitlab Password', required=True)
parser.add_argument('-g', help='Gitlab URL (without port)', required=True)
parser.add_argument('-l', help='reverse shell ip', required=True)
Exploit-DB
GitLab 11.4.7 - Remote Code Execution (Authenticated) (1)
exploitdb·2020-12-14
CVE-2018-19585 GitLab 11.4.7 - Remote Code Execution (Authenticated) (1)
GitLab 11.4.7 - Remote Code Execution (Authenticated) (1)
---
# Exploit Title: Gitlab 11.4.7 - Remote Code Execution
# Date: 14-12-2020
# Exploit Author: Fortunato Lodari fox [at] thebrain [dot] net, foxlox
# Vendor Homepage: https://about.gitlab.com/
# POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
# Tested On: Debian 10 + Apache/2.4.46 (Debian)
# Version: 11.4.7 community
import sys
import requests
import time
import random
import http.cookiejar
import os.path
from os import path
# Sign in GitLab 11.4.7 portal and get (using Burp or something other):
# authenticity_token
# authenticated cookies
# username
# specify localport and localip for reverse shell
username='aaaaaaaaaaaa'
authenticity_token='jpT/n1EoPwwWtiGu/+QKVQomofMNyqAQXY+iD2kVoRQoiQ
No writeups or analysis indexed.
http://packetstormsecurity.com/files/160516/GitLab-11.4.7-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/160699/GitLab-11.4.7-Remote-Code-Execution.htmlhttps://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/https://gitlab.com/gitlab-org/gitlab-ce/issues/53242http://packetstormsecurity.com/files/160516/GitLab-11.4.7-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/160699/GitLab-11.4.7-Remote-Code-Execution.htmlhttps://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/https://gitlab.com/gitlab-org/gitlab-ce/issues/53242
2019-07-10
Published