CVE-2020-35236

Vulnerability

The GitLab Webhook Handler in amazee.io Lagoon versions before 1.12.3 lacked proper access control for handling GitLab system webhooks. Specifically, the extractWebhookData function in the webhook handler did not validate that incoming system webhook events (such as project_destroy) originated from a trusted source or that the requester had appropriate permissions [1][2]. The affected code paths were reachable by any GitLab system webhook, which could be triggered by events like project deletion without checking authorization [1].

Exploitation

An attacker who can send a crafted GitLab system webhook request to the Lagoon webhook handler (e.g., by luring an authenticated GitLab user to trigger a system event or by exploiting another vulnerability to spoof webhooks) can trigger unauthorized project deletion. The webhook handler accepted events listed in secureGitlabSystemHooks (including project_destroy) without additional authentication checks [1]. No special network position beyond reachability of the service endpoint was required; the system webhook event provided the project identifier.

Impact

Successful exploitation allowed an unauthenticated or unauthorized attacker to delete any Lagoon project, leading to permanent data loss and service disruption. This impacts the confidentiality, integrity, and availability of projects managed by Lagoon [1][2]. The attacker does not need to be a project member or have any existing privileges within Lagoon.

Mitigation

Fixed in Lagoon version 1.12.3, released December 2020 [2]. The fix introduced a whitelist of secure system webhooks (secureGitlabSystemHooks) and added validation to ensure only approved webhook events are processed [1]. Users must upgrade to 1.12.3 or later. No workaround was provided for older versions. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.