Critical GitLab Security Vulnerability Reveals Project Secrets & More

The software security sirens are sounding again, and this time it’s a critical security vulnerability affecting GitLab, one of the open source communities favorite Git repository hosting services.

Well, what’s the story, and is this something to get concerned about?

Reducing Enterprise Application Security Risks:

More Work Needs to Be Done

What Is It?

Jobert Abma, co-founder of HackerOne, reported last Friday a critical GitLab security vulnerability affecting both GitLab’s Community and Enterprise Editions.

The ‘arbitrary file read’ vulnerability affects GitLab’s buggy ‘import/export’ feature, allowing authenticated users to gain access to secrets, tokens and sensitive application files.

How does it work?

The recipe for the critical GitLab security vulnerability is a combination of error handling (how the JavaScript function ‘JSON.parse’ operates), combined with the fact that symbolic links were mentioned in GitLab imports.

After digging around, Abma discovered that these issues allowed him to reveal the contents of a file within an error message

After a file’s contents have been deciphered, the vulnerability enables hackers to attack on two vectors.

Firstly, the GitLab security vulnerability allows attackers to read any repository by giving them access to GitLab shell tokens, which are used by the service to authenticate users.

Secondly, attackers can trigger a remote code execution, as the bug allows cookies to be marshaled and then resigned.

Vulnerability Information

The GitLab security vulnerability has been assigned CVE-2016-9086.

The vulnerability has a Medium 6.5 CVSS score, meaning this bug is something to be remediated promptly.

This is because the attacker can gain a considerable amount of confidential and vital data, using a pretty simple method of attack.

Affected Versions, and What You Can Do About It

Affected versions are as follows:

  • 8.13.0 – 8.13.2
  • 8.12.0 – 8.12.7
  • 8.11.0 – 8.11.9
  • 8.10.0 – 8.10.12
  • 8.9.0 – 8.9.11

Patches for versions 8.10.0 and later can be found here.

If you’re running earlier versions on your servers, and you can’t upgrade to a newer version, I’m sorry to say that you won’t be receiving a patch. However, you can secure your system by disabling the buggy feature (Project Import/Export) via this workaround.

Having Your Finger on the Pulse

This critical GitLab security vulnerability is another reminder of the importance of keeping up-to-date with version updates and fixes.

 If you’re looking for an open source management solution which provides you with all patches, fixes as well other remediation suggestions, without your team having to do any of the legwork, why not check out what WhiteSource can offer your organization.