CVE-2023-1965

Vulnerability

GitLab EE versions 14.2 up to 15.9.6, 15.10 up to 15.10.5, and 15.11 up to 15.11.1 lack verification of the RelayState parameter in Group SAML SSO responses. This allows an open redirect after a successful SAML login. The feature must be enabled by an administrator for Group SAML SSO; it is not enabled by default [1].

Exploitation

An attacker crafts a malicious RelayState URL pointing to an attacker-controlled server. When a victim user logs in via Group SAML SSO, GitLab redirects the authenticated POST request to the attacker's URL, carrying the victim's session cookies. By chaining this open redirect with third-party OAuth login flows (e.g., Bitbucket, GitHub, Google), the attacker can capture OAuth access tokens granted for those services. The attack requires the victim to initiate a SAML SSO login and for the attacker to pre-stage the redirect target [1].

Impact

Successful exploitation allows an attacker to obtain OAuth access tokens for integrated third-party services. For Bitbucket, these tokens have broad read access and some write access to repositories, wikis, and projects. This can lead to account takeover of the linked third-party services and potential data exfiltration or unauthorized modifications within those services [1].

Mitigation

GitLab released fixed versions: 15.9.6, 15.10.5, and 15.11.1. Administrators should upgrade to these or later versions immediately. No workaround is available for unpatched instances. The vulnerability is not yet listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].