CVE CyberSecurity Database News

CVE-2022-4167: GitLab EE Incorrect Authorization Check Affecting Group Access Tokens Security Vulnerability

Poster -

In this post, we will discuss a critical security vulnerability, CVE-2022-4167, affecting all versions of GitLab Enterprise Edition (EE) from 13.11 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2. This vulnerability allows group access tokens to continue working even after the group owner loses the ability to revoke them due to an incorrect authorization check. We will provide an overview of the issue, code snippets highlighting the problem, links to original references, and exploit details.

Vulnerability Overview

Group access tokens in GitLab EE are designed to allow group members to authenticate using tokens instead of individual credentials. This makes it easy for the group owner to manage access and revoke permissions as needed. However, due to an incorrect authorization check, these tokens can persist and continue to provide access even after the group owner no longer has the ability to revoke them.

To understand the issue better, let's look at some code snippets from the affected GitLab EE versions.

Here is a high-level overview of the incorrect authorization check

# Erroneous group access token authorization check in GitLab EE
def validate_group_access_token_permissions
  return unless group_access_token?

  unless can?(current_user, :revoke_group_access_token, group)
    # The token should be revoked, but due to the incorrect check, it continues working
  end
end

In this code snippet, the validate_group_access_token_permissions method is supposed to ensure that group access tokens are revoked when the group owner loses the ability to do so. However, the check using can? function is faulty and does not perform the desired operation, allowing the tokens to persist and continue working.

Wait until they are removed from the group or lose the ability to revoke tokens.

3. Continue using the access token to perform unauthorized actions, as the token is not automatically revoked.

This can lead to unauthorized access to sensitive data, exfiltration of information, and potentially, the compromise of the entire GitLab instance.

Mitigation and Remediation

To mitigate this vulnerability, GitLab issued security patches for the affected versions. Users are strongly encouraged to upgrade to GitLab EE 15.5.7, 15.6.4, or 15.7.2 (or a subsequent release), depending on the version they are currently using.

Here's a link to the official GitLab Security Release blog post announcing the fix: GitLab Security Release: 15.5.7, 15.6.4, and 15.7.2

And the official GitLab Issue reference for this vulnerability: Improper Authorization Check for Group Access Tokens

Conclusion

CVE-2022-4167 is a serious vulnerability that can allow unauthorized actors to take control of GitLab instances using stale group access tokens. By upgrading to unaffected GitLab versions and carefully managing group access tokens, administrators can avoid this risk and maintain tight security around their GitLab setup.

Timeline

Published on: 01/12/2023 04:15:00 UTC
Last modified on: 01/18/2023 20:32:00 UTC