GitLab (the company) has pushed out security updates for both the Community Edition (CE) and Enterprise Edition (EE) of the GitLab software, fixing a critical security flaw in the “import/export project” feature.
“This feature did not properly check for symbolic links in user-provided archives and therefore it was possible for an authenticated user to retrieve the contents of any file accessible to the GitLab service account. This included sensitive files such as those that contain secret tokens used by the GitLab service to authenticate users,” the company explained.
The vulnerability (CVE-2016-9086) was unearthed and flagged by HackerOne co-founder Jobert Abma.
Exploitation of the flaw is trivial.
“The project export feature serializes the user objects of team members and stores it in the project.json file. This object contains the authentication_token for every user, meaning that an attacker can simply go ahead and create a project on GitLab.com, add one of the admins of GitLab.com, create an export, and obtain the authentication token for that user,” Abma explained.
“From what I’ve seen on my own GitLab instance, this leads to RCE and gives me access to all code in private repositories.”
So, if you’re using GitLab’s software on your servers, and you use a vulnerable version, make sure to update your installation as soon as possible.
Affected versions include versions 8.13.0 through 8.13.2, 8.12.0 through 8.12.7, 8.11.0 through 8.11.9, 8.10.0 through 8.10.12, and 8.9.0 through 8.9.11.
Older versions won’t be receiving a patch, but can be made secure by disabling the feature (Project Import/Export via Tape Archive).