CVE-2017-0905: SSRF vulnerability

November 13, 2017 (updated October 9, 2019)

If you are using the #find method on any of the classes that are derived from the Resource class and you are passing user input into that method, a malicious user can force the http client to reach out to a server under their control. This can lead to leakage of your private API key.

References

Detect and mitigate CVE-2017-0905 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 2.0.0 before 2.0.13, all versions starting from 2.1.0 before 2.1.11, all versions starting from 2.2.0 before 2.2.5, all versions starting from 2.3.0 before 2.3.10, all versions starting from 2.4.0 before 2.4.11, all versions starting from 2.5.0 before 2.5.3, all versions starting from 2.6.0 before 2.6.3, all versions starting from 2.7.0 before 2.7.8, all versions starting from 2.8.0 before 2.8.2, all versions starting from 2.9.0 before 2.10.4, all versions starting from 2.11.0 before 2.11.2