GMS-2021-58: Lack of Input Validation in zendesk_api_client_php for Zendesk Subdomain

April 29, 2021

Impact

Lack of input validation of the Zendesk subdomain could expose users of the library to Server Side Request Forgery (SSRF).

Resolution

Validate the provided Zendesk subdomain to be a valid subdomain in:

getAuthUrl
getAccessToken

References

github.com/advisories/GHSA-q348-f93x-9gx4
github.com/zendesk/zendesk_api_client_php/commit/b451b743d9d6d81a9abf7cb86e70ec9c5332123e
github.com/zendesk/zendesk_api_client_php/pull/466
github.com/zendesk/zendesk_api_client_php/security/advisories/GHSA-q348-f93x-9gx4

Code Behaviors & Features

Detect and mitigate GMS-2021-58 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →