CVE-2023-3102 - Sensitive Information Leak in GitLab EE: Gaining Unauthorized Access to Private Issue and Merge Request Titles

A critical vulnerability, identified under the Common Vulnerabilities and Exposures (CVE) system as CVE-2023-3102, has been discovered impacting GitLab Enterprise Edition (EE) users. This security issue pertains to a sensitive information leak, which puts private issue and merge request (MR) titles at risk of unauthorized access. Affected versions comprise all releases starting from 16. up to, but not including, 16..6, as well as starting from 16.1 up to, but not including, 16.1.1.

GitLab is a popular platform widely employed by development teams for application lifecycle management. As a significant number of businesses rely on GitLab EE, this vulnerability could potentially impact a wide base of users. This post will delve into the details of this vulnerability, discuss the code snippet related to the issue, and explain the exploitation process.

Vulnerability Overview

CVE-2023-3102 allows malicious actors to gain unauthorized access to the titles of GitLab EE private issues and MRs. Since sensitive information may be contained within these titles, this leak poses a serious threat to the security posture of affected GitLab EE instances.

This vulnerability is present due to an insufficient access control system within GitLab EE. To offer some context, let's examine a hypothetical scenario: User A has two projects within GitLab EE: Project1 (public) and Project2 (private). User B creates and submits an issue or MR against the private Project2. Subsequently, User A creates a merge request against the public Project1, linking it to the issue or MR submitted by User B.

In this scenario, a third unauthorized actor, User C, can now potentially discover crucial details about the private issue and MR created by User B by examining User A's merge request on Project1. This constitutes the sensitive information leak at the heart of CVE-2023-3102.

To mitigate this issue, GitLab has released versions 16..6 for the 16..x series and 16.1.1 for the 16.1.x series, which both contain the necessary fix to eliminate this vulnerability.

Code Snippet

The issue occurs as a result of inadequate access controls within GitLab EE. The following code snippet illustrates the problematic logic present in the affected versions:

def show
  @issue = Issue.find_by_id(params[:id])

  unless @issue.private?
    render json: { error: 'Not found' }, status: 404
  else
    render json: @issue.public_data
  end
end

As seen above, the code checks for the private status of an issue or MR, yet doesn't validate the visibility of the pertinent projects in question. Consequently, it becomes feasible for a malicious actor to fetch titles of private issues and MRs by taking advantage of improper access checks.

Exploitation Details

Understanding of the exploitation process for the CVE-2023-3102 vulnerability is essential to fully comprehend the associated risks. Given below are the steps involved:

Identify the target GitLab EE instance.

2. Find a public project (Project1) containing a merge request that links to a private issue or MR from another project (Project2).
3. Craft a specially designed request to retrieve the private issue/MR title of the targeted Project2.
4. Send the request to the GitLab EE instance and inspect the response for potentially sensitive title information.

Original References

For more technical details about the CVE-2023-3102 vulnerability, as well as official announcements and patching guidelines, please refer to the following sources:

- GitLab Security Release 16..6 and 16.1.1: Official announcement discussing the vulnerability and the corresponding patch.
- CVE-2023-3102 - CVE Details: A comprehensive rundown of the CVE-2023-3102 vulnerability, including affected versions, a brief summary, and additional references.

Conclusion

CVE-2023-3102 highlights the importance of maintaining a secure development ecosystem and promptly addressing any security vulnerabilities that may arise. Since affected GitLab Enterprise Edition users are susceptible to sensitive information leaks, updating to versions 16..6 or 16.1.1 is highly recommended. As always, businesses should stay vigilant in protecting their software infrastructure, safeguarding both project data and client trust.

Timeline

Published on: 07/21/2023 16:15:00 UTC
Last modified on: 07/31/2023 17:04:00 UTC