CVE-2022-4201

Vulnerability

A blind Server-Side Request Forgery (SSRF) vulnerability exists in GitLab CE/EE versions from 11.3 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1. The bug resides in the web terminal feature: when a GitLab Runner advertises a session_server with an advertise_address, GitLab does not validate that the address is a local or internal IP. A malicious runner can specify an internal address (e.g., 127.0.0.1:7777), and GitLab will attempt to make an outbound request to that address when a user opens a web terminal [1].

Exploitation

An attacker must control a GitLab Runner and configure its advertise_address to an internal IP address. When a user subsequently opens a web terminal, GitLab initiates a connection to the specified address. The attacker can observe this connection attempt (e.g., by listening on that address). The request is a blind GET; the connection may fail due to TLS certificate mismatches, but the SSRF still occurs [1].

Impact

An attacker can probe internal network services reachable from the GitLab server, potentially discovering open ports or services. The impact is limited to blind SSRF—no direct data exfiltration or code execution—but it could aid reconnaissance or be chained with other vulnerabilities for greater effect [1].

Mitigation

Upgrade to GitLab 15.4.6, 15.5.5, 15.6.1, or later. The fix applies GitLab's existing SSRF prevention library to validate the advertise_address field [1]. No workaround is documented, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.