CVE CyberSecurity Database News

CVE-2022-3870: GitLab CE/EE Avatar Disclosure Vulnerability for Private Instances - Exploit and Mitigation

Poster -

A recently discovered vulnerability, CVE-2022-3870, affects GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) and permits unauthenticated individuals to download user avatars using the victim's user ID on private instances that have restricted public level visibility. It impacts:

* All versions starting from 10. before 15.5.7
* All versions starting from 15.6 before 15.6.4
* All versions starting from 15.7 before 15.7.2

In this post, we will review how the vulnerability can be exploited, what you can do to mitigate the issue, and where to find additional information regarding this security concern.

Exploit Details

The vulnerability exists because GitLab fails to adequately protect the avatars of users on private instances. An attacker can exploit this by crafting a specific HTTP request that includes the victim's user ID, thereby gaining access to private user avatar images. Below is a sample of an HTTP request that an attacker could use:

GET /uploads/-/system/user/avatar/{USER_ID}/file.jpg HTTP/1.1
Host: gitlab.example.com

Where {USER_ID} should be replaced with the numeric ID of the target user. It's important to note that exploiting this vulnerability does not grant access to additional user information or resources outside of the avatar image itself. However, the attacker may still benefit from such information, particularly if the avatar image contains sensitive or private data.

Mitigation Steps

To protect your GitLab CE/EE instance from this vulnerability, it is crucial to update to one of the following patched versions:

* 15.5.7
* 15.6.4
* 15.7.2

These versions include fixes that prevent unauthorized access to user avatars through this specific CVE-2022-3870 vulnerability. You can find information on how to upgrade your GitLab instance in the official documentation: Upgrading GitLab.

If you're unable to update your instance immediately, you can apply a workaround to block unauthorized access to user avatars by following these steps:

1. Add a custom rule to your web server's configuration file to block avatar requests without proper authentication. For example, you could add the following rule for an NGINX web server:

location ~* ^/uploads/-/system/user/avatar/\d+/ {
    if ($http_cookie !~ "gitlab_session=") {
        return 403;
    }
}

Restart your web server to apply the changes.

This workaround will prevent unauthorized access to user avatars, but please note that it may also block legitimate access for users with valid sessions when accessing images through specific means, like email notifications or third-party integrations.

References

* CVE-2022-3870 - NVD
* GitLab Security Release: 15.5.7, 15.6.4, and 15.7.2

Conclusion

CVE-2022-3870 is a notable security vulnerability for GitLab CE/EE users. Although the exploit only reveals user avatars, the potential disclosure of private or sensitive images can negatively impact users who trust GitLab with their data. It is essential to take the necessary steps to mitigate this vulnerability by updating to the latest patched versions or acting on the provided workaround. Stay vigilant about maintaining security best practices and keeping your software up to date in order to secure your applications and user information.

Timeline

Published on: 01/12/2023 04:15:00 UTC
Last modified on: 01/19/2023 15:11:00 UTC