CVE-2023-2190 in Community Edition
Summary
by MITRE • 07/13/2023
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.10 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. It may be possible for users to view new commits to private projects in a fork created while the project was public.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/13/2023
This vulnerability in GitLab CE/EE represents a critical access control flaw that undermines the security model of private repositories. The issue stems from improper handling of commit visibility when projects transition from public to private states, creating a window where forked repositories can access commits that should remain restricted. The vulnerability affects a broad range of versions including 13.10 through 15.10.10, 16.0 through 16.0.5, and 16.1 through 16.1.0, indicating a long-standing flaw in the platform's permission management system. This type of vulnerability falls under CWE-284 Access Control Bypass, where unauthorized users can gain access to resources they should not be able to view.
The technical implementation of this flaw occurs during the project forking process when a repository transitions from public to private status. When users create forks of projects that were previously public, the system fails to properly sanitize commit histories and access permissions. This creates a scenario where forked repositories maintain visibility into commits that were made while the original project was public, effectively allowing unauthorized access to information that should be restricted to project members only. The vulnerability exploits the gap between the project state transition and the proper enforcement of access controls on forked repositories.
The operational impact of this vulnerability extends beyond simple information disclosure, potentially enabling advanced persistent threats to gather sensitive data about private projects. Attackers could leverage this flaw to discover new development activities, security patches, or potentially sensitive information that was committed to private repositories during the public phase. This creates risk for organizations relying on GitLab for code management, as the vulnerability could expose intellectual property, security vulnerabilities, or other confidential information that should remain restricted. The flaw directly impacts the principle of least privilege and can be categorized under ATT&CK technique T1566 Credential Access and T1005 Data from Local System.
Mitigation strategies for this vulnerability require immediate patching of affected GitLab instances to versions 15.11.10, 16.0.6, or 16.1.1 respectively, which contain the necessary fixes to properly enforce access controls during project forking operations. Organizations should also conduct comprehensive audits of their GitLab repositories to identify any potentially compromised forks that may have accessed unauthorized commits during the vulnerable period. Additionally, administrators should implement monitoring solutions to detect unusual access patterns in forked repositories and consider implementing more granular access controls for repository operations. The fix addresses the root cause by ensuring that forked repositories properly inherit the access control restrictions of their parent projects, preventing the leakage of information that should remain private.