if the application is using a custom HTTP library that is not versioned. An attacker can leverage this to issue requests to other applications on the GitLab server, resulting in information disclosure or potential code injection. An example of this can be found in the GitLab Notebook where a crafted tag causes the application to send an HTTP request to a vulnerable static file, such as a logo image or favicon, with the request being sent to a remote IP address instead of the localhost. This could allow for an attacker to inject arbitrary code into the context of the application or even serve malicious content to unsuspecting users. This issue has been addressed by upgrading the affected application version to 15.2.4 or later. For more information, see ‘​CVE-2018-10961 - Arbitrary code execution via a crafted Jupyter Notebook in GitLab EE/CE’. A crafted GitLab EE/CE static file can be uploaded to the application, for example, a logo image or favicon, that will cause a static file to be requested with an HTTP request that is sent to a remote IP address instead of localhost. An attacker can leverage this to issue HTTP requests to other applications on the GitLab server, resulting in information disclosure or potential injection of code. In order to trigger this issue, a static file must first be uploaded to the application. An example of this can be found in the GitLab Notebook where a crafted static file causes the application to

Summary

A vulnerability in GitLab EE/CE that can be exploited by an attacker to execute arbitrary code has been addressed.
For more information, see ‘​CVE-2018-10961 - Arbitrary code execution via a crafted Jupyter Notebook in GitLab EE/CE’.

References:

CVE-2018-10961 - Arbitrary code execution via a crafted Jupyter Notebook in GitLab EE/CE
Severity: Important

CVE-2019-10977

The GitLab application does not properly handle when an end-user shares a file with a custom HTTP library that is not versioned. An attacker can leverage this to issue requests to other applications on the GitLab server, resulting in information disclosure or potential code injection. This can be accomplished by accessing a shared file that contains a crafted tag and/or content-type which will cause the application to send an HTTP request to a remote IP address instead of localhost, resulting in arbitrary code execution. This issue has been addressed by upgrading the affected application version to 18.1.7 or later. For more information, see ‘CVE-2018-10961 - Arbitrary code execution via a crafted Jupyter Notebook in GitLab EE/CE’.
An example of this was found in the GitLab Notebook where an end user shared a note with their collaborator for editing and it contained a malicious tag. The payload enables arbitrary code injection as well as data exfiltration from the host system (e.g., sensitive information like database credentials).

CVE-2023-2429 if the application is using a custom HTTP library that is not versioned. An attacker can leverage this to issue requests to other applications on the GitLab server, resulting in information disclosure or potential code injection. An example of this can be found in the GitLab Notebook where a crafted tag causes the application to send an HTTP request to a vulnerable static file, such as a logo image or favicon, with the request being sent to a remote IP address instead of the localhost. This could allow for an attacker to inject arbitrary code into the context of the application or even serve malicious content to unsuspecting users. This issue has been addressed by upgrading the affected application version to 15.2.4 or later. For more information, see ‘​CVE-2018-10961 - Arbitrary code execution via a crafted Jupyter Notebook in GitLab EE/CE’

Timeline

Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/19/2022 18:23:00 UTC

References