CVE-2023-5117 - GitLab CE/EE Vulnerability: Unauthorized Access to Confidential Files Uploaded in Public Projects

A security vulnerability (CVE-2023-5117) has been discovered in GitLab CE/EE, affecting all versions of the software before 17.6.. This blog post will discuss the vulnerability, a code snippet to demonstrate the issue, and references to the original sources of information. We will also provide details of the exploit and how it can be mitigated. Note that CVE-2023-5117 has the potential to expose sensitive information to unauthorized users, so it's essential to address it as soon as possible.

Exploit Details

The vulnerability in GitLab CE/EE allows unauthorized users to gain access to confidential files that were uploaded in the comments of confidential issues and epics of public projects. This is possible because access permissions are not being checked at the file URL level, making the uploaded files accessible to anyone who has a direct link to the file URL.

Here's a code snippet demonstrating the issue

# User A uploads a confidential file in a comment on a confidential issue of a public project
url = 'https://gitlab.example.com/uploads/29d13d67d799524c457f5ecbba5d91ff/secret.docx';
headers = {'Authorization': 'Private-Token: <User_A_Token>'}

# User B attempts to access the URL without proper authorization
headers = {'Authorization': 'Private-Token: <User_B_Token>'}
response = requests.get(url, headers=headers)

if response.status_code == 200:
    print("User B has unauthorized access to the confidential file!")

As seen in the code snippet above, User B has unauthorized access to the file uploaded by User A (User B is not supposed to see the file) just by having the direct link.

Original References

1. GitLab Advisory: link_here
2. NVD - CVE-2023-5117: link_here

Mitigation

To address this vulnerability, GitLab has released a security patch (version 17.6.) which addresses the access control issue in the software. It is highly recommended to update your GitLab CE/EE instance to version 17.6. or later.

Check the version of your current GitLab instance: sudo gitlab-rake gitlab:env:info

2. If your GitLab instance is below 17.6., follow the upgrade documentation provided by GitLab.

Verify that your GitLab instance has been updated to version 17.6. or later.

In conclusion, it's essential to keep your software updated with security patches to protect sensitive information from potential unauthorized access. Ensure that your GitLab CE/EE instance is updated to version 17.6. or later to safeguard against unauthorized access to confidential files uploaded in public projects.

Timeline

Published on: 12/25/2024 15:15:05 UTC