CVE-2022-1423: Improper Access Control in GitLab CI/CD Cache Mechanism Leading to Cache Poisoning and Arbitrary Code Execution

Summary: CVE-2022-1423 is an improper access control vulnerability in GitLab CE/EE, affecting the Continuous Integration/Continuous Deployment (CI/CD) cache mechanism. A malicious actor with Developer privileges can perform cache poisoning, leading to arbitrary code execution in protected branches.

As the demand for nimble development and agile deployment of applications grows, GitLab has become an essential platform for many teams. However, the discovery of a critical vulnerability, CVE-2022-1423, has raised serious concerns for GitLab CE/EE versions:

14.10.

This vulnerability lies within the CI/CD cache mechanism of GitLab and can result in cache poisoning. It is an improper access control issue, allowing a malicious actor with Developer privileges to execute arbitrary code in protected branches.

Code Snippet

The issue stems from insecure cache key management in GitLab Runner. Here's an example of setting up a cache in .gitlab-ci.yml:

cache:
  key: "${CI_COMMIT_REF_SLUG}"
  paths:
    - .cache/

The problem arises because the cache key is insecure, allowing attackers with Developer access to modify its value and, consequently, poison the cache.

Cache poisoning can lead to arbitrary code execution in the following manner

1. A malicious developer creates a new branch and pushes a malicious code modification to the repository.

The developer changes the cache key to target a protected branch.

3. Subsequent CI/CD pipelines in the targeted protected branch would utilize the poisoned cache and unknowingly execute the malicious code.

Mitigation Steps

It is strongly recommended that users running affected versions of GitLab CE/EE upgrade to the patched versions as soon as possible. Install the appropriate patched version for your environment:

- Upgrade to GitLab 14.8.6
- Upgrade to GitLab 14.9.4
- Upgrade to GitLab 14.10.1

It is also crucial to review and enforce secure access control policies within your organization to minimize the risk of exploitation.

For more details and technical information, consult the following references

- GitLab Advisory for CVE-2022-1423
- CVE Details - CVE-2022-1423
- NIST - CVE-2022-1423

Stay informed and ensure your team's security by addressing CVE-2022-1423 promptly, upgrading affected GitLab CE/EE instances, and implementing strong access control policies.

Timeline

Published on: 05/19/2022 18:15:00 UTC
Last modified on: 06/02/2022 16:09:00 UTC