CVE-2023-5009: GitLab EE Security Vulnerability - Scheduled Security Scan Policies Bypass of CVE-2023-3932

A recently uncovered vulnerability (CVE-2023-5009) in GitLab Enterprise Edition (EE) affects all versions of the software, starting from 13.12 up to 16.2.7, and all versions starting from 16.3 up to 16.3.4. This security issue enables an attacker to run pipeline jobs as an arbitrary user using scheduled security scan policies, bypassing the previously reported CVE-2023-3932 vulnerability. This post will provide an in-depth overview of the exploit details, code snippets, and links to original references for better understanding.

Exploit Details

The primary issue with CVE-2023-5009 lies in the scheduled security scan policies feature of GitLab EE. As previously mentioned, this exploit bypasses the earlier reported vulnerability, CVE-2023-3932, which was supposed to mitigate such issues.

To exploit this vulnerability, an attacker can create a pipeline job in the GitLab repository with malicious code. When the scheduled security scan policy runs, it will execute the malicious code as an arbitrary user, potentially granting the attacker access to sensitive data, unauthorized permissions, and control over certain parts of the affected GitLab EE instance.

This code snippet demonstrates how an attacker might exploit this vulnerability

git checkout -b my-malicious-branch
echo "Malicious code here" > exploit.sh
git add exploit.sh
git commit -m "Add exploit.sh"
git push -u origin my-malicious-branch

After the attacker has successfully pushed the malicious branch containing the exploit.sh file, the scheduled security scan policy will potentially execute this code during the next scan, leading to the security breach.

GitLab EE 16.3.4 (for those on the 16.3.x release)

Updating to the latest version should resolve this security issue and prevent attackers from exploiting the CVE-2023-5009 vulnerability.

Conclusion

CVE-2023-5009 is a severe security vulnerability in GitLab EE, which affects multiple versions of the software. This exploit allows attackers to run pipeline jobs as an arbitrary user due to a bypass of the previously reported CVE-2023-3932 vulnerability. All GitLab EE users should update their installations without delay, ensuring the security and integrity of their platform.

Original References

- CVE-2023-5009 Gitlab Advisory
- CVE-2023-3932 Advisory
- GitLab Security Release 16.2.7 and 16.3.4

Timeline

Published on: 09/19/2023 08:16:00 UTC
Last modified on: 09/21/2023 18:44:00 UTC