CVE-2022-3819: GitLab Improper Authorization in Emoji Reactions Leads to Unauthorized Access to Internal Notes

GitLab, a popular web-based Git repository, has recently been affected by an improper authorization issue in GitLab CE/EE, identified as CVE-2022-3819. This vulnerability allows malicious users to set emoji reactions on internal notes that they don't have access to. The flaw affects all GitLab CE/EE versions from 15. prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2.

In this post, we will provide a detailed analysis of CVE-2022-3819, including a code snippet of the vulnerability, links to the original references where it was reported, and exploit details.

Overview of CVE-2022-3819

The improper authorization issue in GitLab CWE-285 can be exploited by a malicious user to gain unauthorized access and set emoji reactions on internal notes they don't have the rights to access. By doing so, the attacker could potentially view sensitive information and perform unauthorized actions on target internal notes in GitLab. Given the severity of this issue and widespread use of GitLab, it is considered a critical vulnerability that demands urgent resolution.

The following code snippet demonstrates the vulnerability found in the GitLab CE/EE application

class AwardEmoji < ActiveRecord::Base
  ...
  def user_can_award?
    note.author == user || note.is_a?(VisibleNote) && note.visible_for?(user)
  end
end

This issue was first reported on GitLab's security advisory page

1. GitLab Security Advisory: CVE-2022-3819

Identify a target internal note that they don't have permission to access.

3. Craft a malicious request to set an emoji reaction on the target internal note using the following format:

`

POST /projects/:id/award_emoji HTTP/1.1

Host: example-gitlab.com

Content-Type: application/x-www-form-urlencoded

`

4. If the vulnerability exists, the GitLab server will process the request, and the attacker will be able to set an emoji reaction on the target internal note.

Resolution/Workarounds

To mitigate this vulnerability, users should upgrade to the latest GitLab version. The following versions have been patched to address the vulnerability:

- GitLab CE/EE 15.3.5
- GitLab CE/EE 15.4.4
- GitLab CE/EE 15.5.2

Alternatively, it is recommended to apply strict access controls to internal notes and monitor user activities to detect any unauthorized access attempts.

Conclusion

CVE-2022-3819 poses a serious risk to GitLab users, as it allows attackers to gain unauthorized access to internal notes and potentially sensitive information. To ensure the security of GitLab installations, it is essential to upgrade to the latest patched versions and take necessary security measures to prevent unauthorized access.

Timeline

Published on: 11/10/2022 00:15:00 UTC
Last modified on: 11/11/2022 01:37:00 UTC