CVE-2023-5831 - Information Disclosure Vulnerability in GitLab CE/EE via `super_sidebar_logged_out` Feature Flag

In late 2023, a security issue was discovered affecting several versions of GitLab Community Edition (CE) and Enterprise Edition (EE). The vulnerability, designated as CVE-2023-5831, is an information disclosure risk that could leak sensitive GitLab version metadata to unauthorized users. This post will break down what happened, how it works, and what you should do to keep your GitLab instance safe.

Who Is Affected?

CVE-2023-5831 impacts GitLab CE and EE when the super_sidebar_logged_out feature flag is enabled (the flag is disabled by default). Here are the affected versions:

16.5. (before 16.5.1)

> Note: If you never enabled super_sidebar_logged_out, your system is not affected.

How the Issue Happened

When the super_sidebar_logged_out feature flag is on, certain parts of GitLab’s web interface available to users who are not logged in (logged-out users) may unintentionally expose GitLab’s version metadata.

This metadata includes information about which exact version of GitLab you’re running on your server. Knowing the software version can be a valuable clue for attackers looking to exploit other vulnerabilities.

Technical Details

The vulnerable condition was introduced with the super_sidebar_logged_out feature. Normally, things like version info shouldn’t be visible or accessible to anonymous visitors. But, due to an oversight, enabling this feature flag made it possible for unauthenticated users to extract the version number via web responses.

Here's a simplified code snippet that demonstrates what went wrong

# Vulnerable snippet in Rails controller/view

if Feature.enabled?(:super_sidebar_logged_out)
  render json: { gitlab_version: Gitlab::VERSION }
end

When a request is made (e.g., loading a sidebar as a logged-out user), the API or view could include output similar to:

{
  "gitlab_version": "16.4.1-ee"
}

An attacker could automate requests to a range of GitLab endpoints, or simply browse to a crafted URL, to collect this metadata.

Response: Due to the enabled feature flag, the response accidentally reveals the GitLab version.

4. Leverage: The attacker now knows the exact version and can check if any public exploits exist for it.

Here's an example with curl (assuming you enabled the feature flag)

curl -s https://your.gitlab.instance/-/super_sidebar | grep gitlab_version

Response

{"gitlab_version": "16.4.1-ee"}

Issue discovered: October 2023 (by GitLab’s security team or external researcher)

- Patched versions released: October 26, 2023 (see GitLab security release blog)
- CVE published: https://nvd.nist.gov/vuln/detail/CVE-2023-5831

16.5.1

- See official release notes: GitLab 16.5.1 Release

Original References

- GitLab Security Release Blog
- GitLab Issue Tracker - CVE-2023-5831
- National Vulnerability Database – CVE-2023-5831

Conclusion

This vulnerability is an example of how even minor oversights in feature development can have serious consequences, especially in widely used software like GitLab. While this issue does not allow remote code execution or direct data compromise, leaking version metadata gives attackers unnecessary clues.

Action items:

Stay subscribed to GitLab security release announcements.

If you want more technical insight or a detection script, check the official issues or ask the GitLab community for help.

Timeline

Published on: 11/06/2023 11:15:09 UTC
Last modified on: 11/14/2023 16:59:46 UTC