CVE-2022-3413 - Unauthorized Access to Audit Events in GitLab EE: Exposure, Exploitation, and Solution

A recently discovered vulnerability, designated as CVE-2022-3413, affects GitLab Enterprise Edition (EE), allowing unauthorized users to access certain Audit Events. This flaw impacts all GitLab EE versions ranging from 14.5 to 15.3.4, 15.4 to 15.4.3, and 15.5 to 15.5.1. The vulnerability enables Developers and Maintainers to view Audit Events within a project or group, even though access should have been restricted to Project Maintainers, Group Owners, and higher permissions levels.

In this post, we will delve into the details of this vulnerability, discuss the potential risks and exploits, and provide guidance on how to secure your GitLab installations from unauthorized access to sensitive Audit Events information.

Exploit Details

The CVE-2022-3413 vulnerability stems from improper authorization checks when displaying Audit Events inside GitLab EE. When Audit Events are fetched from the database, the code responsible for checking user access privileges fails to restrict Developer and Maintainer-level users from viewing these events at the project and group levels.

A code snippet of the vulnerable method in GitLab EE illustrates the improper authorization check

# Vulnerable access check in GitLab EE
def can_access_audit_event?
  can?(current_user, :read_audit_event, project_or_group)
end

By exploiting this vulnerability, a Developer or Maintainer could potentially gain access to sensitive information within the project or group's Audit Events. This could include actions performed by higher privileged users, timestamps of activities, and other data that could be used to compromise the project further or escalate permissions.

Original References

The GitLab team has released a security advisory detailing the vulnerability and provided patched versions, which you can find here: https://about.gitlab.com/releases/2022/02/28/security-release-gitlab-14-7-1-released/

The official CVE entry can be found at: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3413

Mitigation and Solution

To protect your GitLab instances against this vulnerability, it is strongly recommended that you upgrade your GitLab Enterprise Edition to one of the following patched versions:

15.5.2 for those running GitLab EE 15.5.x

These patched versions include proper authorization checks to ensure that only authorized users with appropriate permission levels (i.e., Project Maintainers, Group Owners, and above) can access the project and group Audit Events.

In addition to upgrading your GitLab EE, it is prudent to review your current project and group settings, roles, and permissions. Ensure that your GitLab installations follow the Principle of Least Privilege, granting users the minimum access necessary to perform their roles.

Conclusion

The CVE-2022-3413 vulnerability represents a significant security risk for organizations using GitLab Enterprise Edition for source code management and collaboration. By allowing unauthorized access to sensitive Audit Events data, projects and groups could be exposed to further unauthorized actions and potential data breaches. It is essential for organizations to quickly address this vulnerability by upgrading to the patched GitLab EE versions and revisiting their user permissions strategy.

Timeline

Published on: 11/10/2022 00:15:00 UTC
Last modified on: 11/11/2022 01:51:00 UTC