CVE-2023-1210: User Email Leakage Vulnerability in GitLab through Error Messages in Restricted Groups

A critical security vulnerability, classified under the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-1210, has been recently discovered in GitLab. This vulnerability affects several versions of the platform, specifically those from 12.9 before 16..8, those from 16.1 before 16.1.3, and those from 16.2 before 16.2.2. By exploiting this vulnerability, potential attackers can leak a user's email address through error messages pertaining to group memberships with restricted email domains.

Vulnerability Details

The CVE-2023-1210 vulnerability in GitLab occurs when error messages are displayed in groups that restrict their membership by email domain. By improperly handling these error messages, the platform inadvertently leaks the email address of the concerned user. This can potentially be abused by malicious threat actors to target a user for reconnaissance or direct email-based phishing attacks.

An example of a vulnerable code snippet is as follows

def check_email_domain_restrictions
  if group.domain_whitelist_enabled?
    allowed_email_domains = group.allowed_email_domains
    unless allowed_email_domains.include?(user.email_domain)
      raise_error "User's email domain not in #{allowed_email_domains.join(', ')}"
    end
  end
end

In this code snippet, if the domain of the user's email is not included in the list of allowed email domains, an error message is raised. However, this error contains the user's email domain, which leads to the leakage.

Exploit

To exploit the CVE-2023-1210 vulnerability, an attacker needs to closely monitor the error messages and extract user email addresses. Additionally, the attacker needs to be a member of a group that restricts membership based on email domains.

For more information about the CVE-2023-1210 vulnerability, refer to the following links

1. GitLab Security Advisory: https://about.gitlab.com/releases/2023/08/17/security-release-gitlab-16--8-16-1-3-16-2-2/
2. GitLab Patch Release: https://about.gitlab.com/releases/2023/08/24/gitlab-16--9-16-1-4-16-2-3/
3. CVE-2023-1210 Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1210

Mitigation

GitLab has promptly addressed the CVE-2023-1210 vulnerability in its recent patch releases. Affected users are highly recommended to update to the latest versions of GitLab:

For GitLab 16.2, upgrade to GitLab 16.2.2 or later.

It is highly recommended to stay up-to-date with the latest security updates and patches, and to regularly review GitLab's security advisories and changelog. In addition, users are advised to refrain from sharing sensitive information via error messages, and always validate group memberships in restricted groups.

Timeline

Published on: 08/02/2023 00:15:00 UTC
Last modified on: 08/04/2023 19:08:00 UTC