CVE-2022-3706 - Vulnerability in GitLab CE/EE Allows Unauthorized Users to Take Ownership of Retried Jobs in Upstream Pipelines

A recently discovered vulnerability (CVE-2022-3706) exists in GitLab Community Edition (CE) and Enterprise Edition (EE) that allows improper authorization, resulting in unauthorized users taking ownership of retried jobs in upstream pipelines. This vulnerability affects all versions of GitLab CE/EE from 7.14 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2.

Vulnerability Details

When a user retries a job in a downstream pipeline, they can take ownership of the retried jobs in the upstream pipeline even if they do not have access to that project. This vulnerability occurs due to improper checks on user permissions, which allows unauthorized users to perform actions that they should not be allowed to.

User B has access to Project B (downstream) and initiates a job retry

3. Upon job retry, User B takes ownership of the retried job in the upstream pipeline, even though they do not have access to Project A.

Code Snippet

To illustrate this vulnerability, let's take a look at a simple GitLab CI/CD pipeline YAML configuration file:

# .gitlab-ci.yml for Project A (Upstream)
upstream-job:
    script:
        - echo "Upstream Job"

# .gitlab-ci.yml for Project B (Downstream)
downstream-job:
    script:
        - echo "Downstream Job"
    trigger:
        project: Project_A
        strategy: depend

When User B retries the downstream-job in Project B, they will inadvertently take ownership of the upstream-job in Project A.

Original References

To learn more about this vulnerability and the affected versions, you can refer to the following GitLab Security Release notes:
- GitLab Security Release: 15.3.5, 15.4.4, and 15.5.2

Resolution

To mitigate this vulnerability, users should upgrade their GitLab CE/EE instances to the latest available versions. The following versions include fixes for this vulnerability:
- GitLab CE/EE 15.3.5 or later
- GitLab CE/EE 15.4.4 or later
- GitLab CE/EE 15.5.2 or later

You can find detailed instructions on how to upgrade GitLab in the official GitLab documentation.

Conclusion

CVE-2022-3706 is an improper authorization vulnerability in GitLab CE/EE that affects a wide range of versions, potentially allowing unauthorized users to take ownership of retried jobs in upstream pipelines. To ensure the security of your projects and pipelines, it is essential to upgrade your GitLab instances to the latest available versions that include fixes for this vulnerability.

Timeline

Published on: 11/10/2022 00:15:00 UTC
Last modified on: 11/11/2022 01:43:00 UTC