CVE-2018-17537: Stored XSS Vulnerability in GitLab Community and Enterprise Edition during Repository Browsing with Package.json

CVE-2018-17537 is a Cross-site Scripting (XSS) vulnerability that was discovered in GitLab Community and Enterprise Edition. This vulnerability exists in versions before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. The exploit occurs when a user is browsing a repository and the package.json file exists in that repository. This post will analyze and discuss the vulnerability in detail, including the code snippet responsible for the issue, links to the original references, and information on the exploit itself.

Vulnerability Details

The vulnerability exists in the GitLab Edge program, specifically the blog-viewer component where a stored XSS flaw is present during repository browsing. When a user browses a repository with a package.json file, the vulnerable code displays the contents of the repository and allows the attacker to execute malicious JavaScript code within the context of the user's session on the GitLab server. This unauthorized access can lead to unauthorized actions, data theft, or a full account takeover.

Code Snippet

The following code snippet in GitLab Edge's blog-viewer component is responsible for the vulnerability:

function displayPackageJson(pkg){
    var html = "<h3>" + pkg.name + "</h3>" +
                "<p>Version: " + pkg.version + "</p>" +
                "<p>Description: " + pkg.description + "</p>";
    return html;
}

The displayPackageJson function creates an HTML string by concatenating the contents of the package.json file. However, it does not sanitize the input before adding it to the generated HTML, leading to the XSS vulnerability.

Exploit Details

Using this vulnerability, an attacker can craft a malicious package.json file with JavaScript code embedded within its properties:

{
    "name": "<script>alert('XSS')</script>",
    "version": "1..",
    "description": "A simple XSS test"
}

When a user browses a repository containing this crafted package.json file, the malicious JavaScript code is executed, proving that the stored XSS vulnerability exists.

The following links provide more information on this vulnerability

1. CVE Details - CVE-2018-17537
2. GitLab Security Advisory - GitLab Security Release

Conclusion

CVE-2018-17537 demonstrates the importance of proper input validation and sanitation. GitLab was quick to release a patch that addressed this vulnerability, so it's essential to upgrade to the latest versions of GitLab Community and Enterprise Edition. By doing so, users can ensure their GitLab instance is secure and resistant to stored XSS attacks like the one discussed in this post.

Timeline

Published on: 04/16/2023 00:15:00 UTC
Last modified on: 04/25/2023 19:07:00 UTC