A security vulnerability, identified as CVE-2023-3950, has been discovered in GitLab Enterprise Edition (EE). The vulnerability exposes an information disclosure issue, allowing unauthorized users to access sensitive information. This vulnerability affects all GitLab EE versions from 16.2 prior to 16.2.5 and 16.3 prior to 16.3.1. It has been determined that other Group Owners were able to view the Public Key for a Google Cloud Logging audit event streaming destination if it was configured. The issue has been resolved, and Owners can now only write the key, not read it.
Details
The vulnerability is caused by a misconfiguration in the permission settings for the Google Cloud Logging audit event streaming destination Public Key. As a result, Group Owners were able to view the Public Key without proper authorization. The code snippet below demonstrates the original permission settings that allowed unauthorized access to the Public Key.
Original permission settings
{
"resources": [
{
"resourceType": "streamingDestination",
"resourceName": "googleCloudLogging",
"allowedActions": [
"viewPublicKey",
"writePublicKey"
]
}
]
}
The updated permission settings, as demonstrated in the code snippet below, now only allow Owners to write the Public Key, and the "viewPublicKey" action has been removed:
Updated permission settings
{
"resources": [
{
"resourceType": "streamingDestination",
"resourceName": "googleCloudLogging",
"allowedActions": [
"writePublicKey"
]
}
]
}
Links to Original References
1. GitLab Security Advisory: https://gitlab.com/gitlab-org/security-advisories/tree/master/2023_395
2. GitLab Version Update: https://gitlab.com/gitlab-org/gitlab/-/releases/v16.2.5
3. GitLab Version Update: https://gitlab.com/gitlab-org/gitlab/-/releases/v16.3.1
Exploit Details
Exploiting this vulnerability would allow an attacker with low-level access to the system, such as a Group Owner, to view the Public Key for an audit event streaming destination. While the Public Key might not provide direct access to sensitive data, it could be used to craft further, more devastating attacks.
Prevention and Mitigation
This vulnerability has been patched, and an update has been released for affected GitLab EE versions. Users are advised to apply the updates as soon as possible in order to avoid unauthorized access to sensitive information. In addition, administrators should review user access rights to ensure only authorized users can perform actions necessary for their role.
Conclusion
CVE-2023-3950 is an important security vulnerability that has been discovered and fixed in GitLab EE. It demonstrates the importance of regularly updating your software and keeping an eye out for security patches. The vulnerability could have potentially led to unauthorized access to sensitive information, highlighting the importance of proper access control in software development. By staying vigilant and applying security best practices, we can minimize the risks posed by such vulnerabilities.
Timeline
Published on: 09/01/2023 11:15:00 UTC
Last modified on: 09/01/2023 21:14:00 UTC