CVE-2021-22175: 
GitLab vulnerability analysis and mitigation

A server-side request forgery (SSRF) vulnerability was discovered in GitLab (CVE-2021-22175) affecting all versions starting from 10.5. The vulnerability could be exploited by an unauthenticated attacker even on GitLab instances where registration is disabled, specifically when requests to the internal network for webhooks are enabled (NVD, CVE).

The vulnerability received a CVSS v3.1 base score of 9.8 (CRITICAL) from NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while GitLab Inc. assessed it with a score of 6.8 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N. The vulnerability is classified as CWE-918 (Server-Side Request Forgery) (NVD).

The vulnerability could allow attackers to perform internal network mapping, locate vulnerable services, and potentially steal cloud credentials. When webhooks to internal networks are enabled, the vulnerability could be particularly dangerous as it allows unauthorized access to internal resources (Hacker News).

The vulnerability has been fixed in GitLab versions 13.6.7, 13.7.7, and 13.8.4. Organizations are advised to upgrade to these or later versions. Additionally, it's recommended to limit outbound connections to necessary endpoints and monitor for suspicious outbound requests (NVD).