When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled
Credits
Thanks [@myster](https://hackerone.com/myster?type=user) for reporting this vulnerability through our HackerOne bug bounty program
