CVE-2023-3413: GitLab Unauthorized Source Code Access via Fork Visibility Changes

A security vulnerability (CVE-2023-3413) has been discovered in GitLab, a popular web-based DevOps lifecycle tool. This issue affects multiple versions of the platform: all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. The vulnerability allows unauthorized users to read the source code of a project through a fork that was created before the project's visibility was changed to "members only." In this post, we will explore the details of this vulnerability, how it can be exploited, and ways to address the issue.

Vulnerability Exploit Details

The vulnerability stems from a flaw in the way GitLab handles project visibility changes for forked repositories. When a user creates a fork of a project, the new fork's visibility remains the same as the original project. However, when the original project's visibility is later changed to "members only," these changes are not properly propagated to the existing forks. As a result, the forks remain publicly accessible, allowing unauthorized users to read the source code.

To exploit this vulnerability, an attacker can simply create a fork of any project while the project's visibility is public. Assume the following snippet shows a forking action:

POST /api/v4/projects/<project_id>/fork

Once the fork is created, even if the source project later changes its visibility status through a request like the below:

PUT /api/v4/projects/<project_id>
{
  "visibility": "private"
}

The attacker can still access the source code via the fork because the visibility change would not affect the forked repositories.

Original References

Citing the official GitLab security advisor, you can find more information about this vulnerability, including additional details and links, here:
- https://about.gitlab.com/releases/2021/10/26/security-release-gitlab-14-4-2-released

Mitigation Measures

To resolve this issue, the developers of GitLab have introduced patches in the following versions: 16.2.8, 16.3.5, and 16.4.1. Specifically, the patches enforce the proper propagation of visibility changes from a project to all its forks.

As a precautionary measure, users should ensure to upgrade their GitLab installations to the latest patched versions available. The official GitLab blog provides installation and upgrade guides for various platforms:

- https://about.gitlab.com/install
- https://docs.gitlab.com/ee/update

Additionally, it is recommended to review any existing forks to ensure their visibility matches the source projects' statuses, especially in cases where previous visibility changes were made.

Conclusion

CVE-2023-3413 is a significant vulnerability that could allow unauthorized access to a project's source code via a fork in GitLab. To address the issue, GitLab has introduced patches in versions 16.2.8, 16.3.5, and 16.4.1. Users are strongly encouraged to upgrade their installations to the latest patched versions and verify the visibility status of their projects and forks to ensure proper access restrictions.

Timeline

Published on: 09/29/2023 09:15:00 UTC
Last modified on: 10/03/2023 19:55:00 UTC