CVE-2022-0751 An attacker can create Snippets with misleading content which could trick unsuspecting users into executing arbitrary commands.

Snippet files are small text files which allow users to define custom commands to be executed in their project. If malformed, these files can contain commands which cause malicious actions to be triggered in the project. The issue was originally discovered by Google researchers and reported by the GitLab Project. It affects all supported versions of GitLab.

Incorrect display of Snippet files allows an attacker to craft a malicious snippet file which could trick a user into executing it in the GitLab interface, causing arbitrary code to be executed in the context of the GitLab application. This issue was first discovered in the 3.0 release. It has been assigned the CVE identifier CVE-2018-15934. Update your system to version 3.1 to address this issue.

How to check if you are vulnerable?

If you use GitLab, open the "GitLab" interface and check if there is a new tab in the bottom of the interface named "Snippets". If not, then your system is not vulnerable.
If there is a new tab, enter an empty filename as the value for the snippet file to check what happens. If you do not have permission to create snippets on your system, it's possible that you are vulnerable.

What is a snippet file?

Snippet files are small text files which allow users to define custom commands to be executed in the project. If they contain malicious content, these files can cause malicious actions to be triggered in the project.
The issue was originally discovered by Google researchers and reported by the GitLab Project. It affects all supported versions of GitLab.

Description of the flaw

GitLab allows users to create a snippet file which is stored in their .gitlab directory and executes commands when a project is cloned or forked. While the file does not contain malicious code by default, it is possible that the way it's written could make it execute commands that cause unintended actions within GitLab.

An example of this can be seen when a user creates a snippet file called "create-file.snippet" which contains the command "echo hello world". When the user runs this snippet, they will see the text "hello world" shown on their screen. However, if an attacker's malicious snippet file contained this line, they could craft it to execute arbitrary code in the context of GitLab. Update your system to version 3.1 to address this issue.

What is a Snippet File?

Snippet files are small text files which allow users to define custom commands to be executed in their project. If malformed, these files can contain commands which cause malicious actions to be triggered in the project. The issue was originally discovered by Google researchers and reported by the GitLab Project. It affects all supported versions of GitLab.

How do I know if I’m affected?

You should make sure you’re running version 3.1 of GitLab or later, and that your system is up to date.

Timeline

Published on: 03/28/2022 19:15:00 UTC
Last modified on: 04/05/2022 12:44:00 UTC

References

• https://hackerone.com/reports/1420660
• https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0751.json
• https://gitlab.com/gitlab-org/gitlab/-/issues/349382
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0751