CVE-2022-1188: 
GitLab vulnerability analysis and mitigation

A blind Server-Side Request Forgery (SSRF) vulnerability was discovered in GitLab CE/EE (CVE-2022-1188) affecting all versions from 12.1 before 14.7.7, versions from 14.8 before 14.8.5, and versions from 14.9 before 14.9.2. The vulnerability was identified in the repository mirroring feature's host key detection functionality (NVD, GitLab Advisory).

The vulnerability exists in the 'Detect host keys' function of the Mirroring repositories feature, which bypasses the internal network traffic protection. When using SSH for repository mirroring, the host key identification sub-feature lacks proper SSRF protection, allowing attackers to send TCP packets to internal networks while bypassing the Outbound network traffic feature. The vulnerability has a CVSS v3.1 Base Score of 5.3 (Medium) according to NVD, while GitLab Inc. assessed it with a Base Score of 3.7 (Low) (NVD).

The vulnerability allows attackers to perform blind SSRF attacks, enabling them to force GitLab to send TCP packets to forbidden networks, potentially leading to unauthorized access to internal network resources (GitLab Issue).

The vulnerability has been fixed in GitLab versions 14.7.7, 14.8.5, and 14.9.2. Users are advised to upgrade to these or later versions to protect against this vulnerability (NVD).