CVE-2023-4379 – GitLab EE Code Owner Approval Vulnerability in Versions 15.3 to 16.2.8, 16.3 to 16.3.5, and 16.4 to 16.4.1

A recent vulnerability discovered within GitLab can potentially allow unauthorized code changes without the necessary code owner approval. This issue impacts GitLab Enterprise Edition, affecting all instances running version 15.3 and before 16.2.8, as well as versions 16.3 up to 16.3.5 and 16.4 up to 16.4.1. A successful exploit of this vulnerability can lead to bypassing mandatory code review, resulting in unauthorized code modifications and a compromise of the target system.

Vulnerability Details

The issue was discovered in the code owner approval process used by GitLab. In certain situations, when the target branch was updated, the code owner's approval was not being removed as it should have been. As a result, an attacker could exploit this issue to make unauthorized changes or potentially commit malicious code to a project without gaining the required code owner approval.

This vulnerability has been assigned a CVE identifier: CVE-2023-4379.

Here's a sample code snippet that demonstrates the issue

1. git checkout -b new_feature
2. echo "new feature" >> readme.md
3. git add readme.md && git commit -m "Add new feature"
4. # now create a merge request
5. git push --set-upstream origin new_feature
6. git checkout main
7. echo "unrelated change" >> other_file.md
8. git add other_file.md && git commit -m "Unrelated change"
9. git push

In the above git workflow, the vulnerability can be exploited when steps 1-5 are executed by an attacker without proper code owner approval. Step 6 represents the target branch update, where the code owner approval should have been removed but is not. Subsequently, steps 7-9 represent the attacker making additional unauthorized changes to the repository.

You can find more information about this vulnerability in the official GitLab security advisory

* GitHub Security Advisory: https://about.gitlab.com/releases/2022/03/24/critical-security-release-gitlab-16-4-1-released

Exploit Details

At the time of writing, there are no known public exploits for this vulnerability. However, users are advised to remain vigilant and promptly update their GitLab instances to a patched version as soon as possible to prevent potential exploitation.

The following versions of GitLab contain the necessary fixes for this issue

* GitLab EE 16.2.8: https://about.gitlab.com/releases/2022/03/24/gitlab-16-2-xy-released
* GitLab EE 16.3.5: https://about.gitlab.com/releases/2022/03/24/gitlab-16-3-xy-released
* GitLab EE 16.4.1: https://about.gitlab.com/releases/2022/03/24/critical-security-release-gitlab-16-4-1-released

Users running affected versions are strongly recommended to update their instances as soon as possible. Regular maintenance and updates are key to ensure software security and protect against potential threats.

Conclusion

With regular updates to software, organizations can mitigate risk and avoid potentially devastating exploits. As such, it is crucial to stay informed about the latest vulnerability reports and to apply patches as soon as they become available. By keeping GitLab instances up to date, organizations can guard against unauthorized code changes, protect their infrastructure and ensure the security and integrity of their repositories.

Timeline

Published on: 11/09/2023 21:15:24 UTC
Last modified on: 11/16/2023 19:24:36 UTC