A recent vulnerability dubbed as CVE-2022-3482 has been discovered in GitLab CE/EE (Community Edition and Enterprise Edition), impacting all versions from 11.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. This security issue arises due to an improper access control, allowing unauthorized users to view release names even when the access to releases is restricted to project members only. In this blog post, we will discuss the exploited code snippet, provide links to original references, and outline the details of the exploit, so you can better understand the issue and implement necessary mitigations.

Code Snippet

The vulnerability exists due to an error in the code where the project visibility level is not correctly checked when fetching release names. The affected code snippet is shown below:

class ReleasesController < ApplicationController
  def index
    @releases = @project.releases
  end
end

In this code snippet, the index function fetches all releases associated with a specific project without verifying if the user accessing these releases has proper authorization to view them.

Original References

1. Official GitLab Advisory: https://about.gitlab.com/releases/2022/02/01/critical-security-release-gitlab-15-5-5-released/
2. NVD (National Vulnerability Database) Entry: https://nvd.nist.gov/vuln/detail/CVE-2022-3482

Identify a project with restricted release visibility (visible to project members only).

3. Send an HTTP request to access the release names associated with the restricted project via the exposed API. For example:

GET /projects/:id/releases HTTP/1.1
Host: <GitLab_Instance>
Authorization: Bearer <access_token>

4. As a result, the attacker will be able to see release names they shouldn't have access to. The response would look like:

HTTP/1.1 200 OK
Content-Type: application/json
[
  {
    "id": 1,
    "name": "Restricted_Project_Release_Name1"
  },
  {
    "id": 2,
    "name": "Restricted_Project_Release_Name2"
  }
]

Mitigation

GitLab has released security patches to fix this vulnerability, and it is highly recommended to upgrade to the latest patched versions, as mentioned below:

- For GitLab CE/EE 15.3.x, upgrade to 15.3.5 or later.
- For GitLab CE/EE 15.4.x, upgrade to 15.4.4 or later.
- For GitLab CE/EE 15.5.x, upgrade to 15.5.2 or later.

To upgrade your GitLab instance, follow the official GitLab documentation: https://docs.gitlab.com/ee/update/

Conclusion

CVE-2022-3482 is a critical vulnerability that needs immediate attention, as it exposes sensitive release names to unauthorized users. Upgrading to the latest patched versions of GitLab CE/EE is highly recommended to ensure the security of your deployments. Stay vigilant and act promptly to protect your projects and release information from malicious actors.

Timeline

Published on: 01/26/2023 21:15:00 UTC
Last modified on: 02/01/2023 17:17:00 UTC