A recent vulnerability has come to light with a CVE identifier of CVE-2023-3484, which affects GitLab Enterprise Edition (EE) installations. This critical issue involves an attacker being able to alter the name or path of a public top-level group under certain conditions. This post will delve into the details of this vulnerability, including code snippets, original references, and exploit details.

16.1 and 16.1.1

If you are running any of these versions, it is highly recommended that you update to the latest patched versions (15.11.11, 16..7, or 16.1.2) immediately to mitigate this risk.

Exploit Details

An attacker can exploit this vulnerability when certain situations are met, such as a discrepancy between the actual visibility level of a group and the visibility level specified in the database. Here's an example scenario where this issue can be exploited:

A logged-in user creates a new public group within their GitLab EE instance.

2. Due to a bug, the group's visibility level is internally set to "private" in the database, even though the user interface (UI) shows the group as "public".
3. An attacker with access to the group URL can now change the group's name and path, even if they don't have any privileges in the group.

Original References

The GitLab team has officially acknowledged this vulnerability and has provided the relevant patches. The relevant GitLab issues and merge requests can be found at the following links:

- Issue #1
- Issue #2
- Merge Request #1

Code Snippet

A code snippet from the patched version that solves the issue in the group_policy.rb file would be as follows:

# Ensure unauthorized changes are disallowed
def check_edit_ability
  return false unless user

  if @subject.public?
    user.admin?
  else
    can?(:admin_group, @subject)
  end
end

This change ensures that only those with admin privileges can change the names and paths of public top-level groups, thus fixing the vulnerability.

Recommendations

If you are running GitLab EE in an affected version, it is strongly recommended that you upgrade to a patched version. The available patched versions are 15.11.11, 16..7, and 16.1.2. To upgrade your GitLab instance, follow the official upgrade documentation.

Implement strong access controls and least-privilege principles for all users.

3. Follow the GitLab security guidelines for additional security measures.

Conclusion

CVE-2023-3484 poses a significant risk for GitLab EE installations, allowing unauthorized changes to public top-level group names and paths. By updating to the latest patched version and adhering to best practices, you can protect your GitLab instance from potential exploits relating to this vulnerability. Stay vigilant and follow the latest security news to ensure you're always prepared against new threats.

Timeline

Published on: 07/21/2023 14:15:00 UTC
Last modified on: 07/31/2023 17:03:00 UTC