A recent vulnerability, CVE-2022-3726, in GitLab Community Edition (CE) and Enterprise Edition (EE) has raised concerns regarding the safety and security of users' accounts. This vulnerability is attributed to a lack of proper sandboxing in OpenAPI documents. It affects all GitLab versions between 12.6 and 15.3.5, as well as GitLab versions 15.4 prior to 15.4.4 and 15.5 prior to 15.5.2. An attacker can exploit this vulnerability by tricking the user into clicking on the Swagger OpenAPI viewer, compromising the victim's account by issuing malicious HTTP requests.
Exploit Details
The CVE-2022-3726 vulnerability arises due to the absence of a sandbox environment for OpenAPI documents in GitLab CE/EE. This can result in significant security risks, as an attacker can manipulate these documents and send HTTP requests to the Swagger OpenAPI viewer. By doing so, the attacker gains unauthorized access to the user's account data.
When a user clicks on the viewer link provided by the attacker, the malicious request gets executed, and the attacker can alter the victim's personal data or execute a command that affects GitLab functionality.
The attacker shares a malicious OpenAPI document link like the one shown below
openapi: 3..
info:
title: Malicious OpenAPI Document
version: 1..
paths:
/api_url:
post:
summary: Execute a malicious request
parameters:
-
name: authToken
in: query
schema:
type: string
responses:
'200':
description: Request executed
2. The victim clicks on the provided link within the GitLab Swagger OpenAPI viewer, unintentionally initiating the HTTP request.
The attacker now sends the malicious HTTP request
curl -X POST "https://gitlab.example.com/api_url?authToken=VICTIM_AUTH_TOKEN"; -H "Content-Type: application/json"
At this point, the attacker has accessed the victim's GitLab account through the malicious request.
The CVE-2022-3726 vulnerability was first documented in the following resources
1. CVE - Common Vulnerabilities and Exposures (CVE):
2. GitLab Security Advisory
Mitigation and Recommendations
GitLab has acknowledged and addressed this vulnerability in recent releases. Users should update their GitLab CE/EE installations to versions 15.3.5, 15.4.4, or 15.5.2, where proper sandboxing of OpenAPI documents has been implemented.
As a preventative measure, users are advised to be cautious when clicking on any links in the Swagger OpenAPI viewer that they have not verified themselves. Additionally, GitLab administrators should monitor their systems for any suspicious activity to identify potential threats.
In conclusion, it is essential for GitLab users and administrators to take the necessary actions to protect their accounts from potential threats. By ensuring that appropriate security measures are in place, users can enjoy a more secure and reliable experience with GitLab CE/EE.
Timeline
Published on: 11/10/2022 00:15:00 UTC
Last modified on: 11/11/2022 01:42:00 UTC