Data importation mechanism failed to sanitize imports
A vulnerability in GitLab allowed attackers to stage various attacks against GitLab servers, including the cloud-hosted GitLab.com platform.
The bug, reported by security researcher ‘yvvdwf’, was caused by the way GitLab imports data from GitHub, which could be exploited to run commands on the host server.
GitLab uses Octokit, a library that provides an interface to import data from the GitHub API. To retrieve and present its results, Octokit uses the HTTP client library Sawyer.
However, GitLab directly used the Sawyer results returned by Octokit without sanitizing them, which provided opportunities to insert malicious commands.
Yvvdwf found that one of the parameters used in the import function was prone to command injections against GitLab’s Redis database.
RCE, information theft, and more
On standalone GitLab installations, an attacker could exploit the command injection bug to escalate from Redis to Bash and send commands to the operating system. Any potential attacker would have remote code execution (RCE) access to the host with the privileges of the host process.
While the RCE exploit did not work on GitLab.com, yvvdwf was able to use other Redis commands to replicate data from GitLab.com to a standalone server with a public IP. They were also able to poison GitLab projects through the same mechanism and make them inaccessible.
An attacker with a standalone GitLab installation and an API access token could use the exploit to steal information, inject malicious code, and perform other malicious actions against GitLab.com.
Protecting GitLab servers
The vulnerability was assigned CVE-2022-2884 with a critical base score of 9.9 in the Common Vulnerability Scoring System.
GitLab has already patched the issue in GitLab.com and published a critical security release for GitLab Community Edition and Enterprise Edition.
All users are advised to upgrade their GitLab installation. For organizations that can’t upgrade right away, GitLab advises them to secure their installation by disabling imports until they can patch their system.
While GitLab users will be safe by using the cloud or updated self-hosted version of the platform, other services that use Octakit to interact with GitHub should be wary and make sure that they perform the right checks around the data they pass on and receive through the library.
RELATED Policy-as-code approach counters ‘cloud native’ security risks