A security vulnerability, identified as CVE-2023-3385, has been discovered in GitLab, affecting multiple versions of the platform. Specifically, this issue impacts all versions starting from 8.10 before 16..8, all versions starting from 16.1 before 16.1.3, and all versions starting from 16.2 before 16.2.2.
Under certain circumstances, a user importing a project 'from export' could access and read unrelated files by uploading a specially crafted file. This was due to a bug in the tar program, which has been fixed in tar-1.35.
In this long-read post, we explore the details of this vulnerability, its potential impact, and how to protect your GitLab installation from exploitation.
Overview of the Vulnerability
The vulnerability in question allows attackers to manipulate the file import functionality of GitLab to access and read unrelated files in the system. When importing a project 'from export', the user uploads a specially crafted file, which gives them unauthorized access to other files on the server. This can put sensitive information at risk, including source code, configuration files, and credentials.
This issue is the result of a bug in the tar program, which GitLab uses to extract files from uploaded archives. The bug was fixed in tar-1.35, as mentioned in the official post from the GNU project.
Code Snippet
The following code snippet demonstrates how the specially crafted file has been designed to exploit the vulnerability:
# Step 1: Create a malicious tar file
echo "evil content" > evil_file.txt
tar -cf exploit.tar evil_file.txt
gzip exploit.tar
# Step 2: Craft an importer file that points to a specific location
echo "../../../../../../../tmp/evil_file.txt" > importer.txt
# Step 3: Append the importer file to the tar.gz file
tar --append --file=exploit.tar.gz importer.txt
By uploading exploit.tar.gz through the import project 'from export' feature, an attacker could potentially access unrelated files in the system.
Mitigation
To protect your GitLab installation from this vulnerability, it is crucial to update your version to one of the following: 16..8, 16.1.3, or 16.2.2, depending on your release line. Additionally, ensure that your system has the latest tar program installed, specifically tar-1.34 or newer.
Conclusion
The CVE-2023-3385 vulnerability poses a significant threat to organizations using affected versions of GitLab, as it allows attackers to access and read unrelated files through a specially crafted import file. It is essential to take the necessary steps to mitigate this risk by updating GitLab to a secure version and installing the latest tar program.
Stay informed and diligent about security updates for your infrastructure to prevent potential exploitation of vulnerabilities like CVE-2023-3385 in the future.
Timeline
Published on: 08/02/2023 00:15:00 UTC
Last modified on: 08/04/2023 19:19:00 UTC