Commit 901ea673 authored by Jim's avatar Jim

revised formatting and text

parent d433adb4
Pipeline #18416778 passed with stages
in 17 minutes and 52 seconds
---
title: "GitLab Inbound Email Issue Notification"
date: 2018-03-06
author: Jim Thavisouk
author_gitlab: Thavisouk
categories: security
tags: security, gitlab
---
## Issue Summary
Gitlab.com provides customers the capability to [create a new issue by email](https://docs.gitlab.com/ee/user/project/issues/create_new_issue.html#new-issue-via-email), which can also be managed by [Service Desk](https://docs.gitlab.com/ee/user/project/service_desk.html). This is accomplished through a dynamically generated email address that is currently being managed with Gitlab's domain name (@gitlab.com). It has come to our attention that an attacker can abuse this process to act as an authorized Gitlab personnel with Gitlab's domain. This issue impacts customers who are using email an issue to project and Service Desk.
## Customer Remediation Steps
Our customers should check to see if they are using email an issue to project and Service Desk.
If aliases were used, update those aliases them from `@gitlab.com` to `@incoming.gitlab.com`.
If domain whitelisting was used, please update those domains from `@gitlab.com` to `@incoming.gitlab.com`. These changes can be made _immediately_.
## GitLab Remediation Strategy
We will update the addresses from `@gitlab.com` to `@incoming.gitlab.com`.
We will reach out to customers directly that are still using the old address to make sure the new addresses are being used instead.
All addresses with the @gitlab.com domain will be disabled **3 April 2018**. Incoming email to the address will be rejected.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment