GitLab Community and Enterprise Edition Vulnerability
GitLab is web-based Git repository manager that includes additional features to handle all stages of the DevOps lifecycle including continuous integration and delivery, issue tracking, monitoring, and integration with many other applications. GitLab is built on several technologies including Ruby, Rails, Go, and Redis and is available as a free Community Edition or a paid Enterprise Edition.
A stored cross-site scripting vulnerability has been reported in the Community edition and Enterprise edition of GitLab. The vulnerability is due to insufficient input sanitization of ipynb files.
A remote, authenticated attacker can exploit these vulnerabilities with crafted requests to the target server. Successful exploitation could result in arbitrary script execution in the target user’s browser.
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-39906.
Common Vulnerability Scoring System (CVSS):
The overall CVSS score is 6.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C).
Base score is 7.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is low.
• User interaction is none.
• Scope is changed.
• Impact of this vulnerability on data confidentiality is low.
• Impact of this vulnerability on data integrity is low.
• Impact of this vulnerability on data availability is low.
Temporal score is 6.7 (E:P/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is proof of concept.
• The remediation level of this vulnerability is official fix.
• The report confidence level of this vulnerability is confirmed.
A stored cross-site scripting vulnerability exists in GitLab. The vulnerability is due to insufficient Jupyter notebook rendering sanitization. The HTML output of a command can contain SVG data with a use element referencing a GitLab icons SVG file on the GitLab server. The attribute sanitization does not normalize the path. The path to a valid SVG file can be used with a relative path to a crafted SVG appended that passes the sanitization check in isUrlAllowed(). The crafted SVG must be hosted in a repository on the same GitLab host.
In the crafted SVG file, a foreignObject element can be used to inject arbitrary HTML after GitLab sanitization is performed. The SVG specification mentions that a referenced SVG XML should be cloned for use element processing, without an exclusion for foreignObject elements. However, the only browser engine that honours the cloning of foreignObject elements is Gecko. As a result, this XSS can only be triggered on Firefox browsers. The SVG Working Group has discussed removing foreignObject from the elements to clone from use referenced SVG files, but this is not yet written into the specification.
A remote, authenticated attacker can exploit this vulnerability by creating crafted SVG and IPYNB files on the target server. Successful exploitation results in arbitrary script execution in the target user’s browser.
Triggering the Problem:
• The target system must have the vulnerable product installed and running.
• The attacker must have network connectivity to the affected ports.
• The attacker must have authorized access to a user with permissions to create files in a project.
The attacker will authenticate to the target system. Once authenticated, the attacker will create a malicious SVG and IPYNB file.
The following application protocols can be used to deliver an attack that exploits this vulnerability:
SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:
• IPS: 705 GitLab ipynb Stored XSS 1
• IPS: 18693 GitLab ipynb Stored XSS 2
Please note that if your web service/server is accessible over HTTPS, then enabling of Server DPI-SSL is necessary for the above signature to detect exploits targeting this vulnerability.
The risks posed by this vulnerability can be mitigated or eliminated by:
• Updating the product by obtaining a new revision or applying the vendor supplied patch.
• Filtering attack traffic using the signatures above.
The vendor has released the following advisory regarding this vulnerability: