CVE-2023-0050: GitLab Stored Cross-Site Scripting (XSS) Vulnerability in Kroki Diagrams

CVE-2023-0050 refers to a stored cross-site scripting (XSS) vulnerability that has been discovered in GitLab, a popular web-based platform for code sharing, collaboration, and version control. This vulnerability affects all GitLab versions starting from 13.7 up until present-day releases, with specific version ranges being: 13.7-15.7.8, 15.8-15.8.4, and 15.9-15.9.2. Attackers can exploit this vulnerability by crafting a malicious Kroki diagram, which then enables them to execute arbitrary actions on behalf of the victims.

Exploit Details

A specially crafted Kroki diagram can be used by an attacker to inject malicious code into the GitLab environment, leading to a stored XSS attack on the client-side. This enables the attacker to perform arbitrary actions, such as stealing user credentials, manipulating content or redirecting users to malicious websites, all while impersonating the victim user.

For those unfamiliar with Kroki, it is an open-source project that allows users to generate diagrams, flowcharts, and similar visuals from plain text input. GitLab integrates Kroki into its platform, allowing developers to create and display diagrams within their projects and repositories.

The following code snippet demonstrates a hypothetical malicious Kroki diagram that could exploit the vulnerability:

[mermaid]
graph LR
A[Malicious&lt;img src=x onerror=alert(1)&gt;Node] --&gt; B[Another Node]
B --&gt; C[Final Node]
[/mermaid]

In this example, the code embeds an image tag (<img src=x onerror=alert(1)>) within the malicious node label, causing the JavaScript alert(1) to execute when the XSS payload is triggered. By manipulating this payload, an attacker can create more harmful actions, such as stealing session cookies and performing actions on behalf of the user.

Original References

1. GitLab Security Release: https://about.gitlab.com/releases/2023/10/15/security-release-gitlab-15-8-4-gitlab-15-9-2-gitlab-16--/
2. CVE-2023-0050 (NVD): https://nvd.nist.gov/vuln/detail/CVE-2023-0050
3. Kroki Project: https://kroki.io/

Mitigation Steps

To protect against this vulnerability, users should update their GitLab instance to one of the fixed versions mentioned in the GitLab Security Release. The fixed versions are:

GitLab 15.9.2

It is crucial for administrators and users to keep GitLab up-to-date to minimize the risk of such vulnerabilities affecting their environment.

Conclusion

CVE-2023-0050 highlights the potential for stored XSS attacks within GitLab through the use of malicious Kroki diagrams. By staying informed about potential threats and regularly updating the software, users can safeguard their GitLab environments and protect their valuable code from exploitation.

Timeline

Published on: 03/09/2023 22:15:00 UTC
Last modified on: 03/15/2023 15:46:00 UTC