CVE-2022-4365: GitLab CE/EE Sentry Token Leak Vulnerability in Multiple Versions

A new security vulnerability (CVE-2022-4365) has been discovered in GitLab CE/EE, affecting multiple versions of the software. This vulnerability allows a malicious Maintainer to leak the sentry token by changing the configured URL in the Sentry error tracking settings page. In this long read, we'll discuss the details of the vulnerability, how to exploit it, and the steps to mitigate the risk.

Details of the Vulnerability

The vulnerability exists in the GitLab Sentry error tracking settings page. A malicious Maintainer can alter the sentry URL, and by doing so, obtain the sentry token, which should be kept secret. This sentry token can then be used by an attacker to send false error reports or access sensitive data about the system.

Here's an example code snippet showcasing the vulnerable URL input field in the Sentry error tracking settings page:

<form action="/projects/1/services/sentry/edit" method="post">
  <input type="hidden" name="_method" value="patch">
  <input type="hidden" name="authenticity_token" value="...">

  <div class="form-group">
    <label for="service_url">Sentry URL:</label>
    <input type="url" name="service[url]" value="https://sentry.example.com"; class="form-control" required>
  </div>
  
  ... (other input fields) ...
  
  <div class="actions">
    <input type="submit" name="commit" value="Save changes" class="btn btn-primary">
  </div>
</form>

Exploiting the Vulnerability

To exploit this vulnerability, an attacker would need to have Maintainer privileges for a GitLab project. Once this privilege is obtained, the attacker can follow these steps:

Wait for an error event to be triggered and sent to the new URL configured by the attacker.

4. Once the error event is triggered, the attacker-controlled server will receive the sentry token, along with other event details.

Mitigation Steps

To mitigate this vulnerability, users are urged to update their GitLab CE/EE installations to the following versions:

Follow the official GitLab documentation on updating your instance

- Updating GitLab
- GitLab Patch Releases

Additionally, project owners should restrict Maintainer permissions to only trusted users and regularly review the Sentry error tracking settings to ensure the URL has not been changed by an unauthorized party.

Conclusion

CVE-2022-4365 is a serious vulnerability in GitLab CE/EE that allows a malicious Maintainer to leak the sentry token, which can then be used to access sensitive data or manipulate error reports. To mitigate the risk, update your GitLab installation to the latest version and carefully manage Maintainer permissions for your projects. Stay informed about new vulnerabilities and always prioritize security in your software development process.

Timeline

Published on: 01/12/2023 04:15:00 UTC
Last modified on: 01/20/2023 19:31:00 UTC