CVE-2023-3979 - GitLab Merge Request Source Branch Permission Vulnerability Explained

> Summary:
A significant vulnerability (CVE-2023-3979) has been found in GitLab, allowing members from upstream repositories to gain write access to the source branch of a Merge Request (MR). This post will walk you through how the bug works, affected versions, exploitation scenarios, and how you can protect your team. Example scenarios and code snippets are provided so you can understand the risks clearly.

What is CVE-2023-3979?

GitLab is a popular DevOps platform with tools for project planning, source code management, and CI/CD. This vulnerability affects how GitLab handles collaborations on Merge Requests (MRs).

Issue:
When opening a Merge Request from a fork to the upstream repository, upstream users (people with write permission on the main project) could be allowed to push code changes directly to your MR’s source branch — sometimes without intended permission. This could enable them to change your contribution, intentionally or accidentally, undermining your code’s integrity and privacy.

Affected GitLab Versions

According to the GitLab advisory:

16.4 to <16.4.1

If your server is on these versions, you *should* update immediately.

Normally, only User A can modify the source branch.

Vulnerability:
With CVE-2023-3979, members of the upstream project could also push changes directly to the source branch, potentially *without the original contributor’s knowledge or consent*.

User A forks upstream/repo and creates a new feature branch in their fork

git clone https://gitlab.com/upstream/repo.git
cd repo
git checkout -b feature/login-fix
# (User A makes changes)
git push origin feature/login-fix

Merge Request:

User A opens a MR from UserA/repo:feature/login-fix ➡️ upstream/repo:main.

Unexpected Collaboration:

Due to the vulnerability, an upstream member (e.g., User B, maintainer on upstream/repo) notices the MR and can push changes directly to User A’s branch.

# As User B (upstream maintainer):
git remote add user-a-fork https://gitlab.com/UserA/repo.git
git fetch user-a-fork
git checkout user-a-fork/feature/login-fix
# Make unwanted or malicious changes
git commit -am 'Insert backdoor'
git push user-a-fork HEAD:feature/login-fix

What Just Happened?

User B’s code is now in User A’s fork _even though User A never authorized it_. This means upstream maintainers had write control over all downstream forks’ source branches for open MRs.

Real-World Threats

- Tampering: Upstream maintainers (even malicious ones) can add, alter, or sabotage contributors’ work.
- Malicious Code: They can insert secrets, vulnerabilities, or mislead CI/CD.

Visual Example

[User A: Forked Repo, Feature Branch] <--MR-- [Upstream Repo: Main]
         ^           |
         |           |
 (Upstream Maintainer pushes changes to User A's feature branch)

- Use git log and MR diff history to spot unexpected commits

git log origin/feature/login-fix

Update GitLab:

- GitLab 16.2.8
- GitLab 16.3.5
- GitLab 16.4.1

Disable 'Allow maintainers to push':

If you do not trust upstream maintainers with your source branch, make sure the MR option for “Allow maintainers to push to the source branch” is turned off (if available and relevant to the workflow).

GitLab Official Advisory:

Security Release: 16.4.1, 16.3.5, 16.2.8

CVE Details:

NVD - CVE-2023-3979

Closing Thoughts

Vulnerabilities like CVE-2023-3979 show that even trusted tools like GitLab can introduce risks into open-source and internal collaboration. Always keep servers patched and maintain a healthy sense of vigilance when handling your code.

If you run a GitLab server or contribute to open source projects, update your software now, ensure the right permissions, and always review code history.

Timeline

Published on: 09/29/2023 07:15:00 UTC
Last modified on: 10/03/2023 16:04:00 UTC