A recent cross-site scripting (XSS) vulnerability has been discovered in GitLab Community Edition (CE) and Enterprise Edition (EE), putting numerous users and organizations at risk. This vulnerability, identified as CVE-2022-2904, affects all versions of GitLab starting from 15.2 before 15.2.5, all versions starting from 15.3 before 15.3.4, and all versions starting from 15.4 before 15.4.1.

Exploit Details

The cross-site scripting vulnerability is present in GitLab's external status checks feature. Attackers can exploit this vulnerability to perform arbitrary actions on behalf of victims at the client side. The vulnerability is particularly dangerous as it results in a stored XSS, which allows the payload to be executed multiple times on the victims' machines.

Code Snippet

To demonstrate the vulnerability, let's take a look at a simple example. An attacker could submit the following malicious payload in the external status checks feature when creating a new merge request:

<img src="x" onerror="alert('XSS')">

When a victim views this merge request or opens GitLab's interface, the malicious payload is executed, triggering an alert with the message "XSS" to be displayed. This example is harmless, but attackers could potentially use more dangerous payloads to perform actions on behalf of victims or steal sensitive information.

Original References

The vulnerability was reported to the GitLab team, who acknowledged its severity and released patches to address the issue. The original advisory is available on GitLab's official website: CVE-2022-2904 Advisory

GitLab also issued a blog post announcing the security release, which provides more information on the vulnerability and the patched versions: GitLab Security Release: 14.7.1

Mitigation and Recommendations

To protect yourself from this vulnerability, it is strongly recommended that you update your GitLab instance to a version that includes the relevant security patches. The patched versions are as follows:

For GitLab 15.4.x users, update to 15.4.1

Additionally, ensure that you're following best practices for securing your GitLab environment. These include keeping your software up-to-date, restricting access to sensitive areas, and educating your team on potential risks like cross-site scripting and other security vulnerabilities.

Conclusion

CVE-2022-2904 is a critical cross-site scripting vulnerability affecting multiple GitLab CE/EE versions. To safeguard your organization and user data, it is crucial that you apply the latest security patches as soon as possible. Stay informed about security updates, follow best practices, and remain vigilant against potential threats in the evolving cybersecurity landscape.

Timeline

Published on: 11/02/2022 20:15:00 UTC
Last modified on: 11/03/2022 17:26:00 UTC