Rewterz Threat Advisory – Multiple Gitlab Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2023-5207 CVSS:8.2

GitLab could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper neutralization of user supplied-input. By adding another project’s policy bot as a member to their own project, an attacker could exploit this vulnerability to trigger pipelines in the victim’s project.

CVE-2023-2233 CVSS:3.1

GitLab could allow a remote authenticated attacker to obtain sensitive information, caused by improper authorization in Sentry instance projects. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2023-3914 CVSS:5.4

GitLab could allow a remote authenticatedattacker to bypass security restrictions, caused by a business logic error where a service account is not deleted when a namespace is deleted. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass authentication and obtain access to internal projects.

CVE-2023-3920 CVSS:4.3

GitLab could allow a remote authenticated attacker to bypass security restrictions, caused by improper access control. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass authentication and create a fork relationship between existing projects.

CVE-2023-3917 CVSS:4.3

GitLab is vulnerable to a denial of service, caused by a flaw in the accessing of protected variables. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to cause pipelines to fail, resulting in a denial of service.

CVE-2023-3922 CVSS:3.0

GitLab is vulnerable to a denial of service, caused by a click-jacking vulnerability in the math rendering in markdown. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to hijack some links and buttons on the GitLab UI to a malicious page, resulting in a denial of service.

CVE-2023-4532 CVSS:4.3

GitLab could allow a remote authenticated attacker to obtain sensitive information, caused by improper authorization. By linking CI/CD jobs of private projects which they are not a member of to Machine Learning experiments, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2023-3115 CVSS:5.4

GitLab could allow a remote authenticated attacker to bypass security restrictions, caused by improper enforcement of Single Sign On restrictions for indirect project members accessing public members-only project repositories. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass authentication and obtain access.

CVE-2023-4658 CVSS:3.1

GitLab could allow a remote authenticated attacker to bypass security restrictions, caused by improper access control. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass authentication and obtain “Allowed to push and merge” access to protected branches.

CVE-2023-0989 CVSS:4.3

GitLab could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the processing of CI/CD configuration of forks. By persuading a victim to visit a fork with a specially crafted CI/CD configuration, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2023-3413 CVSS:6.5

GitLab could allow a remote authenticated attacker to obtain sensitive information, caused by the exposure of a resource to the wrong sphere. By forking a public project, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2023-4379 CVSS:8.1

GitLab could allow a remote attacker to bypass security restrictions, caused by insufficient control flow management. By sending a specially crafted merge request when the target branch is updated, an attacker could exploit this vulnerability to bypass code owners approval and change a MR’s base branch.

CVE-2023-3979 CVSS:3.1

GitLab could allow a remote authenticated attacker to bypass security restrictions, caused by improper access token revocation when removing a developer. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass authentication and continue editing the source code of a public project.

CVE-2023-3906 CVSS:3.5

GitLab could allow a remote authenticated attacker to obtain sensitive information, caused by improper validation of user-supplied input. By sending a specially crafted request using a non-ASCII character in an asset URI, an attacker could exploit this vulnerability to bypass the asset proxy, and obtain sensitive information.

CVE-2023-5198 CVSS:4.3

GitLab could allow a remote authenticated attacker to bypass security restrictions, caused by improper revocation of deploy keys when project members are removed. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass authentication and write to protected branches.

Impact

• Information Disclosure
• Bypass Security
• Gain Access
• Code Execution

Indicators Of Compromise

CVE

• CVE-2023-5207
• CVE-2023-2233
• CVE-2023-3914
• CVE-2023-3920
• CVE-2023-3917
• CVE-2023-3922
• CVE-2023-4532
• CVE-2023-3115
• CVE-2023-4658
• CVE-2023-0989
• CVE-2023-3413
• CVE-2023-4379
• CVE-2023-3979
• CVE-2023-3906
• CVE-2023-5197

Affected Vendors

GitLab

Affected Products

• GitLab 16.4.0
• GitLab 16.3.4
• GitLab 16.2.7

Remediation

Refer to GitLab Web site for patch, upgrade or suggested workaround information.  

GitLab Website