CVE-2019-5464 — Improper Input Validation in Gitlab

CWE-20 — Improper Input Validation CWE-918 — Server-Side Request Forgery4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.4%

top 37.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE EE +1 more

Timeline

PublishedJan 28

Latest updateMay 24

Description

A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the library is utilized.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶NVDgitlab/gitlab10.2.0 — 11.11.7

▶debiandebian/gitlab< gitlab 12.6.8-3 (sid)

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

▶CVEListV5gitlab/gitlab_ce_eeAffects GitLab CE/EE 10.2 and later, Fixed in 12.1.2 in 12.0.4 and in 11.11.6+1

Patches

Patch: about.gitlab.com ↗Patch: about.gitlab.com ↗

🔴Vulnerability Details

GHSA

GHSA-4736-r24c-m444: A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10↗2022-05-24

▶

📋Vendor Advisories

GitLab

CVE-2019-5464: A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the `url_blocker.rb` which could result in SSRF where the lib↗2020-01-28

▶

Debian

CVE-2019-5464: gitlab - A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and ...↗2019

▶