CVE-2023-3906: Critical Input Validation Vulnerability in GitLab EE Asset Proxy that Allows Authenticated Attackers to Bypass the Asset Proxy

A significant input validation vulnerability in the asset proxy of GitLab Enterprise Edition (EE) has been discovered, which affects all versions of GitLab from 12.3 to before 16.2.8, 16.3 before 16.3.5, and 16.4 before 16.4.1. The vulnerability, known as CVE-2023-3906, enables any authenticated attacker to craft specific image URLs, which results in bypassing the asset proxy. This post will discuss the details of the CVE-2023-3906 vulnerability, potential exploit scenarios, and pertinent code snippets. In addition, the post will provide links to original references to assist users in understanding and mitigating the issue.

Vulnerability Details

The input validation issue originates in the asset proxy component of GitLab EE. The asset proxy is responsible for fetching and serving images and other assets embedded in markdown files, such as README files or wiki pages. However, due to a lack of validation on the image URL input, an authenticated attacker can manipulate the URL structure and consequently circumvent the asset proxy's intended functionality.

To better illustrate the vulnerability, let's examine the following example code snippet that demonstrates how an authenticated attacker can effectively exploit the vulnerability and craft a malicious image URL:

# Attacker-controlled variables
attacker_domain = 'evil.example.com'
victim_url = 'https://gitlab.example.com/user/repo/blob/master/img.png';

# Craft the malicious image URL
malicious_url = f'https://{attacker_domain}/blob/master/img.png?url={victim_url}';

# Submit the malicious URL to be displayed in a GitLab markdown page
submit_image(malicious_url)

In this example, the attacker successfully constructs the malicious URL by appending the victim's URL as a query parameter to their own domain. As a result, when a user views this URL in a markdown file, the asset proxy will retrieve and display the image, presenting a privacy and security risk.

Original References and Further Reading

1. GitLab's blog post on the issue: CVE-2023-3906: An input validation issue in the asset proxy in GitLab EE

2. GitLab's official issue tracker: #issue_number

3. The Common Vulnerabilities and Exposures (CVE) entry for this vulnerability: CVE-2023-3906

GitLab EE 16.4: please update to version 16.4.1 or later.

It is highly recommended for all GitLab EE users to update their deployments as soon as possible to mitigate this critical security issue. Additionally, organizations can consider implementing stricter access control measures and monitoring to identify potential threat actors and/or attacks leveraging CVE-2023-3906.

Conclusion

CVE-2023-3906 is a critical input validation vulnerability in the asset proxy of GitLab Enterprise Edition, affecting numerous version ranges. This post outlined the vulnerability details, exploit examples, and potential consequences, along with recommended mitigations and workarounds. Ensure that you update your GitLab EE deployment as soon as possible to safeguard against potential exploits.

Timeline

Published on: 09/29/2023 07:15:00 UTC
Last modified on: 10/02/2023 19:42:00 UTC