Vulnerabilities > CVE-2017-0882 - Information Exposure vulnerability in Gitlab

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
gitlab
CWE-200
nessus
NVD
Published: 2017-03-28
Updated: 2019-10-09

Summary

Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC.

Vulnerable Configurations

Part Description Count
Application
Gitlab
59

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

NASL familyFreeBSD Local Security Checks
NASL idFREEBSD_PKG_5D62950F3BB511E793F7D43D7E971A1B.NASL
descriptionGitLab reports : Information Disclosure in Issue and Merge Request Trackers During an internal code review a critical vulnerability in the GitLab Issue and Merge Request trackers was discovered. This vulnerability could allow a user with access to assign ownership of an issue or merge request to another user to disclose that user
last seen2020-06-01
modified2020-06-02
plugin id100284
published2017-05-19
reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/100284
titleFreeBSD : gitlab -- Various security issues (5d62950f-3bb5-11e7-93f7-d43d7e971a1b)
code
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
#    copyright notice, this list of conditions and the following
#    disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
#    published online in any format, converted to PDF, PostScript,
#    RTF and other formats) must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer
#    in the documentation and/or other materials provided with the
#    distribution.
# 
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

include("compat.inc");

if (description)
{
  script_id(100284);
  script_version("3.3");
  script_cvs_date("Date: 2018/11/10 11:49:46");

  script_cve_id("CVE-2017-0882");

  script_name(english:"FreeBSD : gitlab -- Various security issues (5d62950f-3bb5-11e7-93f7-d43d7e971a1b)");
  script_summary(english:"Checks for updated packages in pkg_info output");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote FreeBSD host is missing one or more security-related
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"GitLab reports : Information Disclosure in Issue and Merge Request
Trackers During an internal code review a critical vulnerability in
the GitLab Issue and Merge Request trackers was discovered. This
vulnerability could allow a user with access to assign ownership of an
issue or merge request to another user to disclose that user's private
token, email token, email address, and encrypted OTP secret.
Reporter-level access to a GitLab project is required to exploit this
flaw. SSRF when importing a project from a Repo by URL GitLab
instances that have enabled project imports using 'Repo by URL' were
vulnerable to Server-Side Request Forgery attacks. By specifying a
project import URL of localhost an attacker could target services that
are bound to the local interface of the server. These services often
do not require authentication. Depending on the service an attacker
might be able craft an attack using the project import request URL.
Links in Environments tab vulnerable to tabnabbing edio via HackerOne
reported that user-configured Environment links include target=_blank
but do not also include rel: noopener noreferrer. Anyone clicking on
these links may therefore be subjected to tabnabbing attacks where a
link back to the requesting page is maintained and can be manipulated
by the target server. Accounts with email set to 'Do not show on
profile' have addresses exposed in public atom feed Several GitLab
users reported that even with 'Do not show on profile' configured for
their email addresses those addresses were still being leaked in Atom
feeds if they commented on a public project."
  );
  # https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?a2b29199"
  );
  # https://vuxml.freebsd.org/freebsd/5d62950f-3bb5-11e7-93f7-d43d7e971a1b.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?8a19acb8"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:gitlab");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/05/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/19");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"FreeBSD Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");

  exit(0);
}


include("audit.inc");
include("freebsd_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (pkg_test(save_report:TRUE, pkg:"gitlab>=8.7.0<=8.15.7")) flag++;
if (pkg_test(save_report:TRUE, pkg:"gitlab>=8.16.0<=8.16.7")) flag++;
if (pkg_test(save_report:TRUE, pkg:"gitlab>=8.17.0<=8.17.3")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

Seebug

bulletinFamilyexploit
description#### Information Disclosure in Issue and Merge Request Trackers During an internal code review a critical vulnerability in the GitLab Issue and Merge Request trackers was discovered. This vulnerability could allow a user with access to assign ownership of an issue or merge request to another user to disclose that user's private token, email token, email address, and encrypted OTP secret. Reporter-level access to a GitLab project is required to exploit this flaw. This vulnerability is the result of a bug in the serialization of a user object and was introduced in GitLab 8.7.0. Please see the [issue](https://gitlab.com/gitlab-org/gitlab-ce/issues/29661) for more details. This issue has been assigned [CVE-2017-0882](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0882). #### Versions affected * 8.7.0 through 8.15.7 * 8.16.0 through 8.16.7 * 8.17.0 through 8.17.3 We strongly recommend that all installations running a version mentioned above be upgraded as soon as possible. ### Post-Upgrade Steps Due to the nature of this vulnerability it is possible that sensitive user tokens have been cached by proxies or web browsers. We therefore recommend that administrators reset private tokens and incoming email tokens for all users. A rake task for performing token resets is included with this announcement. Encrypted One-Time Password (OTP) secrets may also have been leaked by the vulnerability. These secrets are encrypted, require the key for decrypting the secret, and cannot be used on their own without a copy of the user password, however we are still recommending that all users who utilize One-Time Passwords disable and then re-enable their OTP for all GitLab instances. This will reset the OTP secret. ### Rake Task for Resetting User Tokens After upgrading we recommended that all GitLab installations reset all user private tokens and email tokens. To do so please save the following rake task in the appropriate location. For Omnibus: `/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/reset_token.rake` For Source: `<gitlab_installation_dir>/lib/tasks/reset_token.rake` ``` # lib/tasks/reset_token.rake require_relative '../../app/models/concerns/token_authenticatable.rb' STDOUT.sync = true namespace :tokens do desc "Reset all GitLab user auth tokens" task reset_all: :environment do reset_all_users_token(:reset_authentication_token!) end desc "Reset all GitLab email tokens" task reset_all_email: :environment do reset_all_users_token(:reset_incoming_email_token!) end def reset_all_users_token(token) TmpUser.find_in_batches do |batch| puts "Processing batch starting with user ID: #{batch.first.id}" batch.each(&token) end end end class TmpUser < ActiveRecord::Base include TokenAuthenticatable self.table_name = 'users' def reset_authentication_token! write_new_token(:authentication_token) save!(validate: false) end def reset_incoming_email_token! write_new_token(:incoming_email_token) save!(validate: false) end end ``` Omnibus users would then run: ``` sudo gitlab-rake tokens:reset_all sudo gitlab-rake tokens:reset_all_email ``` Source users would run: ``` sudo -u git -H bundle exec rake tokens:reset_all RAILS_ENV=production sudo -u git -H bundle exec rake tokens:reset_all_email RAILS_ENV=production ``` The rake file can be deleted after this task finishes. #### Workarounds If you're unable to upgrade right away, you can secure your GitLab installation against this vulnerability using the workaround outlined below until you have time to upgrade. #### Securing via patch To temporarily patch just the critical vulnerability, change to the appropriate directory and apply the attached diff. Omnibus: ``` $ cd /opt/gitlab/embedded/service/gitlab-rails/ $ git apply <path_to_diff> $ sudo gitlab-ctl restart unicorn ``` Source: ``` $ cd <gitlab_installation_dir/ $ git apply <path_to_diff> ``` ``` diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb index 1151555..857d907 100644 --- a/app/controllers/projects/issues_controller.rb +++ b/app/controllers/projects/issues_controller.rb @@ -129,7 +129,7 @@ class Projects::IssuesController < Projects::ApplicationController end format.json do - render json: @issue.to_json(include: { milestone: {}, assignee: { methods: :avatar_url }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short]) + render json: @issue.to_json(include: { milestone: {}, assignee: { only: [:name, :username], methods: [:avatar_url] }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short]) end end diff --git a/app/controllers/projects/merge_requests_controller.rb b/app/controllers/projects/merge_requests_controller.rb index 82f9b6e..677a8a1 100644 --- a/app/controllers/projects/merge_requests_controller.rb +++ b/app/controllers/projects/merge_requests_controller.rb @@ -308,7 +308,7 @@ class Projects::MergeRequestsController < Projects::ApplicationController end format.json do - render json: @merge_request.to_json(include: { milestone: {}, assignee: { methods: :avatar_url }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short]) + render json: @merge_request.to_json(include: { milestone: {}, assignee: { only: [:name, :username], methods: [:avatar_url] }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short]) end end rescue ActiveRecord::StaleObjectError ``` #### Verifying the workaround 1. Browse to a project 2. Open the project's issue tracker 3. Create an issue and assign ownership of the issue to another user 4. View the returned JSON and verify that no private information such as tokens are included
idSSV:92805
last seen2017-11-19
modified2017-03-21
published2017-03-21
reporterRoot
titleGitLab permission leak Vulnerability, CVE-2017-0882)

References