CVE-2022-3288 The branch/tag name confusion in GitLab CE/EE older than 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows attackers to manipulate pages where the default branch would be expected.

The attacker can create a new branch called “foo” and set it to be the default. If an unsuspecting user follows the instructions on the page to create a new feature, they will end up creating a new branch called “foo”, which is set as the default. The attacker can then modify the page to create a new feature called “bar”, which is a direct reference to the “foo” branch. This results in the attacker modifying the page to show the content of the “bar” feature on a page where it should be showing the content of the “foo” feature. This issue affects all versions of GitLab prior to 15.4.1. The issue was addressed by switching from using “tags” to “branches” for storing branch/tag mapping information.

Highlight an issue to focus on before reading further

The issue can be found in GitLab, even though it was fixed in 15.4.1.
The issue is that the attacker can create a new branch called “foo” and set it to be the default while also modifying the page to create a new feature called “bar” referencing the “foo” branch, resulting in them modifying the page to show content of the “bar” feature on a page where it should have been showing content of the “foo” feature.
The vulnerability was addressed by switching from using tags to branches for storing information about your branches/tags.

GitLab Core Issue

This issue is a vulnerability in GitLab where an attacker can create a new branch called "foo" and set it to be the default. If an unsuspecting user follows the instructions on the page to create a new feature, they will end up creating a new branch called "foo", which is set as the default. The attacker can then modify the page to create a new feature called "bar", which is a direct reference to the "foo" branch. This results in the attacker modifying the page to show content of the "bar" feature on a page where it should be showing content of the "foo" feature. This issue affects all versions of GitLab prior to 15.4.1 and was addressed by switching from using tags to branches for storing branch/tag mapping information.

Range Based Vulnerability in Gitolite

A range based vulnerability was discovered in GitLab's Gitolite tool as of version 4.0. One unintended consequence of the new feature that makes it possible for users to have an unlimited number of branches is that it opens up the potential for a user to create an infinite number of branches, which could lead to a denial-of-service attack.
The issue was addressed by switching from using “tags” to “branches” for storing branch/tag mapping information.

Documentation Confusion

If you've been using GitLab for a while, you might have encountered the following issue:
You create a new branch with a descriptive name like “foo”, but accidentally forget to delete it after you're done. This results in your branch being re-created with the default name.
While this isn't an issue that will affect all users, it can be confusing for those who are new to GitLab and don't know about the difference between branches and tags.
The documentation does not make clear that branch names are set by default as tags, nor does it mention that deleting a branch will result in the deletion of all its tags.

Timeline

Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/20/2022 14:24:00 UTC

References

• https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3288.json
• https://hackerone.com/reports/1498354
• https://gitlab.com/gitlab-org/gitlab/-/issues/354948
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3288