Commit 9a76b105 authored by Rebecca Dodd's avatar Rebecca Dodd

Improve formatting

parent 3f244809
Pipeline #18525466 (#) passed with stages
in 13 minutes and 30 seconds
---
title: "GitLab Inbound Email Issue Notification"
title: "GitLab inbound email issue notification"
date: 2018-03-06
author: Jim Thavisouk
author_gitlab: Thavisouk
author_twitter: gitlab
categories: security
tags: security, gitlab
description: "We've identified a potential risk impacting those using our email an issue to project, Reply by Email, and Service Desk features."
ee_cta: false
---
## Issue Summary
GitLab.com provides users the capability to [create new issues via email](https://docs.gitlab.com/ee/user/project/issues/create_new_issue.html#new-issue-via-email), which can also be managed by [Service Desk](https://docs.gitlab.com/ee/user/project/service_desk.html). This is accomplished through a dynamically generated email address that is currently being managed with GitLab's domain name (@gitlab.com). It has come to our attention that an attacker can abuse this process to perform actions outside the intended scope with the @gitlab.com domain. This issue impacts users who are using email an issue to project, [Reply by Email](https://docs.gitlab.com/ee/administration/reply_by_email.html), and Service Desk.
GitLab.com provides users the capability to [create new issues via email](https://docs.gitlab.com/ee/user/project/issues/create_new_issue.html#new-issue-via-email), which can also be managed by [Service Desk](https://docs.gitlab.com/ee/user/project/service_desk.html). This is accomplished through a dynamically generated email address that is currently being managed with GitLab's domain name (@gitlab.com). It has come to our attention that an attacker can abuse this process to perform actions outside the intended scope with the @gitlab.com domain. This issue impacts users who are using email an issue to project, [Reply by Email](https://docs.gitlab.com/ee/administration/reply_by_email.html), and Service Desk.
<!-- more -->
## Customer Remediation Steps
## Customer remediation steps
Our users should check to see if they are using the create new issues via email feature.
If aliases were used, update those aliases from `@gitlab.com` to `@incoming.gitlab.com`.
If domain whitelisting was used, please update those domains from `@gitlab.com` to `@incoming.gitlab.com`.
If domain whitelisting was used, please update those domains from `@gitlab.com` to `@incoming.gitlab.com`.
These changes can be made _immediately_.
## GitLab Remediation Strategy
## GitLab remediation strategy
We will update the addresses from `@gitlab.com` to `@incoming.gitlab.com`.
We will update the addresses from `@gitlab.com` to `@incoming.gitlab.com`.
We will reach out to users directly that are still using the old address to make sure the new addresses are being used instead, by **20 March 2018**.
We will reach out to users directly that are still using the old address to make sure the new addresses are being used instead, by **20 March 2018**.
All addresses with the @gitlab.com domain will be disabled **3 April 2018**. Incoming email to the address will be rejected.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment