A newly discovered security vulnerability, CVE-2023-6195, affects GitLab CE/EE and has the potential to expose sensitive information or lead to unauthorized actions being carried out. This vulnerability is related to the handling of markdown images when importing a GitHub repository and is present in all GitLab versions starting from 15.5 up to 16.9.7, 16.10 up to 16.10.5, and 16.11 up to 16.11.2.
Vulnerability Details
The vulnerability stems from the fact that GitLab is susceptible to Server Side Request Forgery (SSRF) when importing a GitHub repository that contains a markdown image with a malicious URL. If the attacker uses an evil.com URL in a markdown image as shown below, it could lead to SSRF, which could allow them to obtain sensitive information or perform unauthorized actions on the server.
Example of malicious markdown image code snippet

This SSRF vulnerability can allow an attacker to bypass security measures and perform actions on behalf of the GitLab application, potentially leading to information disclosure, manipulation, or even denial of service due to the unauthorized behavior.
The following links provide additional information about the vulnerability
1. GitLab Security Advisory (contains details on affected versions and patches): https://about.gitlab.com/releases/2023/04/01/critical-security-release-gitlab-16-11-3-released/
2. CVE-2023-6195 on Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6195
3. National Vulnerability Database (NVD) entry: https://nvd.nist.gov/vuln/detail/CVE-2023-6195
To exploit this vulnerability, an attacker would need to
1. Create a GitHub repository containing a markdown image with a malicious URL. This could be in a README file, issue, or other repository documentation that supports markdown syntax.
2. Import the malicious GitHub repository into GitLab CE/EE.
3. When the GitLab application encounters the URL during the import process, the SSRF vulnerability is triggered, and the attacker is now able to perform unauthorized actions on the server.
Mitigations
GitLab has already provided patches for this vulnerability, and administrators are advised to update their GitLab instances immediately to the latest versions to mitigate the risk of exploitation:
1. Upgrade to GitLab CE/EE version 16.9.7 or later.
Conclusion
SSRF vulnerabilities like CVE-2023-6195 can have potentially severe consequences for affected organizations. Ensuring that your GitLab instance is up-to-date with the latest security patches can significantly reduce the risk of falling victim to these types of attacks. Keep an eye on the official GitLab security advisories and promptly apply any available patches to help protect your organization.
Timeline
Published on: 01/31/2025 00:15:08 UTC
Last modified on: 01/31/2025 18:15:34 UTC