CVE-2023-1555: GitLab Namespace-Level Banned User API Access Vulnerability Discovered

In today's cybersecurity environment, protecting sensitive information and preventing unauthorized access to confidential resources has become an imperative for organizations worldwide. I'm presenting you with the details of an issue that can potentially put your GitLab installations at risk. Designated CVE-2023-1555, this vulnerability affects a range of GitLab versions, allowing namespace-level banned users to access the API.

Overview

First, let's take a look at when this problem appears and what versions are vulnerable to the exploit:

All GitLab versions starting from 16.3 before 16.3.1 are similarly at risk.

If your GitLab installation falls within the versions mentioned above, you must promptly patch your system according to the remediation steps outlined below to ensure the continued security and integrity of your system.

Vulnerability Details

In affected GitLab versions, a user that has been banned at the namespace level still retains the ability to access the API, which essentially enables them to continue interacting with GitLab resources. This oversight threatens the security and confidentiality of your GitLab project, as unauthorized users can potentially gain access to sensitive data or take unauthorized actions through the exposed API.

Below is a code snippet that demonstrates the issue in the user.rb model

class User < ApplicationRecord
# ...
  def banned?
    self.namespace.global_banned? || self.namespace.banned?
  end
# ...
end

In this code, the

banned?

method checks whether a user is banned globally or at the namespace level. However, the method is not called when accessing the API, giving banned users unintended access to GitLab resources.

Original References

The GitLab team was alerted to this vulnerability by community members and has since issued patches for the affected versions. For more details, you can refer to the relevant GitLab security advisory links:

- 16.3.1 Security Advisory
- 16.2.5 Security Advisory
- 16.1.5 Security Advisory

To address this vulnerability, GitLab introduced patches for all the affected versions

- For installations running GitLab 15.2 before 16.1.5, an upgrade to version 16.1.5, or later is recommended.
- For installations running GitLab 16.2 before 16.2.5, an upgrade to version 16.2.5 or later will resolve the issue.
- For installations running GitLab 16.3 before 16.3.1, an upgrade to version 16.3.1 or later will address the vulnerability.

After applying the appropriate patch, you should verify that namespace-level banned users can no longer access the API. This can be done by performing a test with a test account and then trying to access the API using that account.

In conclusion, keeping software up-to-date with the latest security patches is an essential practice for maintaining a secure environment in the era of digital threats. The CVE-2023-1555 vulnerability analysis emphasizes the importance of staying vigilant against potential security threats and addressing them as they emerge. By taking appropriate steps to remediate the issue, you protect the confidentiality and integrity of your GitLab installation.

Timeline

Published on: 09/01/2023 11:15:00 UTC
Last modified on: 09/07/2023 17:11:00 UTC