Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-2630: Arbitrary GFM references rendered in Incident Timeline Events leak private/confidential resources (#369429) · Issues · GitLab.org / GitLab · GitLab

An improper access control issue in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of confidential information via the Incident timeline events.

CVE
Open in Source
#xss#vulnerability#git

HackerOne report #1652853 by yvvdwf on 2022-07-28, assigned to @ngeorge1:

Report | Attachments | How To Reproduce

Report

Hi,

Gitlab recently introduced Incident Timeline events feature. The events’ description is generated using TimelineEventPipeline pipeline which allows the following filters:

def self.filters  
  [@]filters ||= FilterArray[  
    *super,  
    Filter::SanitizationFilter,  
    *Banzai::Pipeline::GfmPipeline.reference_filters,  
    Filter::EmojiFilter,  
    Filter::ExternalLinkFilter,  
    Filter::ImageLinkFilter  
  ]  
end

The reference_filters filters expand any references. Consequently when the description of a timeline event references to private or confidential resources, it will render their titles.

Normally these private/confidential resources are redacted when rendering to non-permission users. Somehow this redaction is not used in the incident timeline event.

Steps to reproduce:

As a normal user (victim):

  • create a private project, let’s call victim/project-a, then create a confidential issue inside. It’s GFM reference is now victim/project-a#1

As an attacker:

  • In an existing project or create a new one
  • Go to Monitor/Incidents and create an incident
  • Open Timeline tab of the incident you’ve created. Then create a new timeline event and reference the issue above: fill victim/project-a#1 in the Timeline text
  • You should see now the issue’s title is rendered in the description of the event

Example

I tested on gitlab.com. I used gitlab-org/gitlab#367408 as payload which is used to track one my previous H1 report.
The example is available in this private project: https://gitlab.com/yvvdwf/xss/-/issues/12

Impact

This vulnerability allows to renders all GFM references, such as, merged requests, issues, etc, even if they are private or confidential.

For example, attackers can simply scan through all issue numbers (starting from 1) of the gitlab-org/gitlab project, and thus leaking their titles.

Best regards,
yvvdwf

Impact

This vulnerability allows attacker to access to all private or confidential GFM references, such as, merged requests, issues, etc.

For example, attackers can simply scan through all issue numbers (starting from 1) of the gitlab-org/gitlab project, and thus leaking their titles.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • Screenshot_2022-07-28_at_15.20.03.png

How To Reproduce

Please add reproducibility information to this section:

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE