Unauthenticated Gitlab SSRF
This is only exploitable if internal network requests are enabled in Gitlab (they are disabled by default). It turns out to be a quite widely enabled option though, as internal requests are useful for webhooks, CI operations.
I disclosed it in December 2020 and first patch was out in February 2021, second complete patch followed in June recently. Gitlab team was very supportive and responsive as always ❤️ Thank you for the bounties and swag Team Gitlab.
I have also disclosed it directly to many affected organizations (universities, open source projects, governments) but vulnerable public facing instances are still out there. I did not initially intend to blog it, but looking at the number of affected instances, I think it might help spread the word.
