CVE-2018-19572

Vulnerability

A time-of-check-to-time-of-use (TOCTOU) race condition exists in the gitlab-pages component of GitLab CE (8.17 and later) and EE (8.3 and later). The vulnerability arises because GitLab allows symlinks in the deployed pages tree. When the pages tree is replaced, the symlink check can run on the previous tree while the subsequent open operation runs on the new tree, enabling an attacker to bypass symlink restrictions. This issue is fixed in versions 11.5.1, 11.4.8, and 11.3.11 [1].

Exploitation

An attacker must have the ability to create or modify symlinks within the GitLab Pages deployment tree. The race window occurs during the replacement of the pages tree; the attacker can craft a symlink that points outside the intended chroot environment. By timing the replacement, the symlink check passes on the old tree, but the file open uses the new tree, allowing access to arbitrary files [1].

Impact

Successful exploitation allows an attacker to read files outside the GitLab Pages chroot environment, leading to unauthorized information disclosure. The attacker gains access to files that should be restricted, potentially including sensitive data from other projects or the host system [1].

Mitigation

Upgrade to GitLab versions 11.5.1, 11.4.8, or 11.3.11 or later, which contain the fix. The issue is resolved by dropping symlinks during extraction, as suggested in the reference [1]. No workaround is documented for unpatched versions.