Blog News GitLab inbound email issue notification
Published on: March 6, 2018
1 min read

GitLab inbound email issue notification

We've identified a potential risk impacting those using our email an issue to project, Reply by Email, and Service Desk features.

Blog fallback hero

GitLab.com provides users the capability to create new issues via email, which can also be managed by Service Desk. This is accomplished through a dynamically generated email address that is currently being managed with GitLab's domain name (@gitlab.com). It has come to our attention that an attacker can abuse this process to perform actions outside the intended scope with the @gitlab.com domain. This issue impacts users who are using email an issue to project, Reply by Email, and Service Desk.

Customer remediation steps

Our users should check to see if they are using the create new issues via email feature.

If aliases were used, update those aliases from @gitlab.com to @incoming.gitlab.com.

If domain whitelisting was used, please update those domains from @gitlab.com to @incoming.gitlab.com.

These changes can be made immediately.

GitLab remediation strategy

We will update the addresses from @gitlab.com to @incoming.gitlab.com.

We will reach out to users directly that are still using the old address to make sure the new addresses are being used instead, by April 17, 2018.

All addresses with the @gitlab.com domain will be disabled April 31, 2018. Incoming email to the address will be rejected.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert