CVE-2022-3726: Inadequate Sandboxing in OpenAPI Documents Leaves GitLab CE/EE Users Vulnerable

A recent vulnerability, CVE-2022-3726, in GitLab Community Edition (CE) and Enterprise Edition (EE) has raised concerns regarding the safety and security of users' accounts. This vulnerability is attributed to a lack of proper sandboxing in OpenAPI documents. It affects all GitLab versions between 12.6 and 15.3.5, as well as GitLab versions 15.4 prior to 15.4.4 and 15.5 prior to 15.5.2. An attacker can exploit this vulnerability by tricking the user into clicking on the Swagger OpenAPI viewer, compromising the victim's account by issuing malicious HTTP requests.

Exploit Details

The CVE-2022-3726 vulnerability arises due to the absence of a sandbox environment for OpenAPI documents in GitLab CE/EE. This can result in significant security risks, as an attacker can manipulate these documents and send HTTP requests to the Swagger OpenAPI viewer. By doing so, the attacker gains unauthorized access to the user's account data.

When a user clicks on the viewer link provided by the attacker, the malicious request gets executed, and the attacker can alter the victim's personal data or execute a command that affects GitLab functionality.

The attacker shares a malicious OpenAPI document link like the one shown below

openapi: 3..
info:
  title: Malicious OpenAPI Document
  version: 1..
paths:
  /api_url:
    post:
      summary: Execute a malicious request
      parameters:
        -
          name: authToken
          in: query
          schema:
            type: string
      responses:
        '200':
          description: Request executed

2. The victim clicks on the provided link within the GitLab Swagger OpenAPI viewer, unintentionally initiating the HTTP request.

The attacker now sends the malicious HTTP request

curl -X POST "https://gitlab.example.com/api_url?authToken=VICTIM_AUTH_TOKEN"; -H "Content-Type: application/json"

At this point, the attacker has accessed the victim's GitLab account through the malicious request.

The CVE-2022-3726 vulnerability was first documented in the following resources

1. CVE - Common Vulnerabilities and Exposures (CVE):

2. GitLab Security Advisory

Mitigation and Recommendations

GitLab has acknowledged and addressed this vulnerability in recent releases. Users should update their GitLab CE/EE installations to versions 15.3.5, 15.4.4, or 15.5.2, where proper sandboxing of OpenAPI documents has been implemented.

As a preventative measure, users are advised to be cautious when clicking on any links in the Swagger OpenAPI viewer that they have not verified themselves. Additionally, GitLab administrators should monitor their systems for any suspicious activity to identify potential threats.

In conclusion, it is essential for GitLab users and administrators to take the necessary actions to protect their accounts from potential threats. By ensuring that appropriate security measures are in place, users can enjoy a more secure and reliable experience with GitLab CE/EE.

Timeline

Published on: 11/10/2022 00:15:00 UTC
Last modified on: 11/11/2022 01:42:00 UTC