CVE-2023-3362: Unauthenticated Information Disclosure in GitLab CE/EE through GitHub Project Import Errors

A recent vulnerability tracked as CVE-2023-3362 has been discovered in both the Community Edition (CE) and Enterprise Edition (EE) of GitLab, a widely-used web-based DevOps platform. This vulnerability affects all GitLab versions from 16. up to but not including 16..6, as well as version 16.1.. If exploited, this vulnerability allows unauthenticated bad actors to access sensitive import error information when projects are imported from GitHub into GitLab.

In this post, we'll examine the details of this vulnerability, share code snippets demonstrating the issue and its potential impact, and discuss the steps GitLab has taken to address this problem.

Vulnerability Details

The information disclosure issue (CVE-2023-3362) is caused by how GitLab handles import errors when users import projects from GitHub into GitLab. Import errors occur when a project from GitHub encounters issues during the import process in GitLab (e.g., due to network errors, incomplete data, or misconfiguration).

Instead of properly restricting access to the sensitive error information during a project import, GitLab exposes the data to unauthenticated users, which could be exploited by bad actors to gather sensitive information or reveal underlying GitLab infrastructure details.

Code Snippet

# Vulnerable import error endpoint (without proper access control)
GET /group_name/project_name/import_error

# Response returned by GitLab (exposing sensitive import error information)
{
  "error_message": "Failed importing repository Some serious secrets leaked here!",
  "error_day": "2023-02-25T19:45:30.163Z"
}

The code snippet above demonstrates the vulnerability, in which probing the import_error endpoint without proper authentication provides access to sensitive import error information.

Original References

The vulnerability was first reported on the GitLab issue tracker and has since been assigned the CVE ID CVE-2023-3362 by MITRE. For further details on the original report and the subsequent discussion, refer to the following resources:

- GitLab Issue Tracker: #327432
- MITRE CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3362

Exploit Scenario

An attacker could exploit this vulnerability by crafting and sending HTTP requests to the import_error endpoint for target GitLab instances, specifically those that import projects from GitHub. By collecting the sensitive information exposed from multiple instances, malicious actors could potentially uncover information that allows them to launch additional, more targeted attacks against the affected GitLab instances or operations.

Solution

To address this issue, GitLab has released security updates for the affected versions. GitLab versions 16..6 and later, as well as 16.1., are not susceptible to this vulnerability.

- GitLab CE/EE version 16.: Upgrade to version 16..6 or later
- GitLab CE/EE version 16.1: Upgrade to version 16.1. or later

For reference on the official GitLab announcement and patch, visit the GitLab blog post: GitLab 16..6 and 16.1. security releases

Conclusion

The CVE-2023-3362 vulnerability in GitLab CE/EE allowed unauthenticated access to sensitive import error information during the import process from GitHub, potentially exposing valuable information to malicious actors. GitLab has addressed this issue in security updates for affected versions. Upgrade your GitLab instances to version 16..6 or later (or 16.1.) to ensure protection against this vulnerability.

Timeline

Published on: 07/13/2023 03:15:00 UTC
Last modified on: 07/20/2023 20:49:00 UTC