CVE-2023-6195: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.5 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. GitLab was vulnerable to Server Side Request Forgery (SSRF) when an attacker uses a malicious URL in the markdown image value when importing a GitHub repository (NVD, GitLab Release).

The vulnerability exists in the GitHub importer functionality when the 'Import Markdown attachments' feature is enabled. The implementation attempts to restrict media content fetching to trusted sources by checking URL prefixes, specifically 'https://user-images.githubusercontent.com'. However, the validation is insufficient as it only checks if the URL starts with the trusted prefix, allowing attackers to use domains like 'user-images.githubusercontent.com.attacker.controlled.domain'. The vulnerability has been assigned a CVSS v3.1 base score of 2.6 (Low) with vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N (GitLab Issue).

The vulnerability allows an attacker to send GET requests to arbitrary private network endpoints of the GitLab server, including services listening on the loopback interface, link-local interface, and private LAN (10.0.0.0/8, 192.168.0.0/16, etc.). The attacker could potentially access this without having an account on the target GitLab server. Some network endpoints might disclose sensitive data without authentication (GitLab Issue).

The vulnerability has been patched in GitLab versions 16.9.7, 16.10.5, and 16.11.2. Organizations should upgrade to these or newer versions immediately. As a workaround, organizations can ensure the 'allowlocalrequestsfromwebhooksand_services' setting is disabled and carefully review GitHub repositories before importing them (GitLab Release).