CVE-2021-39870: 
GitLab vulnerability analysis and mitigation

In all versions of GitLab CE/EE since version 11.11, a vulnerability was discovered that allows attackers to bypass the disabled Repo by URL import setting through crafted API calls. The vulnerability was assigned CVE-2021-39870 and was disclosed on September 30, 2021. The issue affects both GitLab Community Edition (CE) and Enterprise Edition (EE) installations (GitLab Security Release).

The vulnerability exists in the project creation functionality where an instance that has the setting to disable Repo by URL import enabled can be bypassed through a specially crafted API call. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability allows attackers to bypass administrative security controls, specifically the setting that disables repository imports by URL. This means that even when administrators explicitly disable this feature for security reasons, malicious users can still perform repository imports via URL, potentially introducing unauthorized or malicious code into the GitLab instance (GitLab Security Release).

The vulnerability has been fixed in GitLab versions 14.3.1, 14.2.5, and 14.1.7. GitLab strongly recommends that all installations running affected versions be upgraded to the latest version as soon as possible (GitLab Security Release).

The vulnerability was reported through GitLab's HackerOne bug bounty program by security researcher @ngalog. GitLab acknowledged the finding and addressed it in their September 2021 security release (GitLab Security Release).