CVE-2023-3399: Unauthorized Access to CI/CD Variables in GitLab EE via Custom Project Templates

---

Introduction

A critical vulnerability has been discovered in GitLab EE, tracked as CVE-2023-3399, which affects multiple versions of the software. The issue allows unauthorized project or group members to read the valuable CI/CD (Continuous Integration and Continuous Deployment) variables using the custom project templates feature. These variables usually contain sensitive information, such as credentials and API keys, leading to potential leaks causing security breaches.

This long-read post will break down the details about this vulnerability and provide guidance on how to remediate it. We will cover the affected GitLab versions, exploit details, and code snippets to help illustrate the problem.

Exploit Details

The heart of this vulnerability lies in the GitLab EE custom project templates feature. When a new project is created using a custom template, the CI/CD variables are cloned from the template to the new project, and any member of the new project can access these variables.

For instance, consider the following code snippet that retrieves a CI/CD variable named API_KEY

api_key = Project.find(params[:project_id]).variables.find_by_key('API_KEY').value

An unauthorized user can fetch these sensitive CI/CD variables, leading to potential security breaches.

To demonstrate the vulnerability, let's go through the following steps

1. Create a custom project template by selecting a project, going to Settings, and marking it as a "Template project."

2. Create a new project from the created custom project template by navigating to the "New Project" page and selecting the "Custom Templates" tab.

3. Once the project is created, an unauthorized group or project member can access the CI/CD variables by running the code snippet mentioned earlier.

The above steps clearly show that an unauthorized user in a new project created from a custom project template can access sensitive CI/CD data.

Remediation

To fix the CVE-2023-3399 vulnerability, the affected GitLab EE users must upgrade their software to the proper patched versions. Users of GitLab versions between 11.6 and 16.3.5 should upgrade to version 16.3.6, users of GitLab versions between 16.4 and 16.4.1 should upgrade to 16.4.2, and users of GitLab version 16.5 should upgrade to 16.5.1.

For more details on the remediation, please refer to the original references

- Official GitLab Security Advisory
- CVE-2023-3399 on the National Vulnerability Database

Conclusion

The discovery of CVE-2023-3399 in GitLab EE highlights the importance of securing sensitive information contained within CI/CD variables. Unauthorized access to this data could lead to significant security breaches and potential exploitation of the affected services.

This vulnerability can be easily mitigated by upgrading to the appropriate patched versions of GitLab EE, ensuring that sensitive CI/CD variables are not exposed to unauthorized group or project members.

References

- GitLab Security Advisory
- CVE-2023-3399 on the NVD

Timeline

Published on: 11/06/2023 13:15:09 UTC
Last modified on: 11/14/2023 18:01:40 UTC