Improper Control of Generation of Code ('Code Injection') in GitLab

Vulnerability

The GitLab web interface does not validate the integrity of source code or installation packages when downloaded from a specific tag [1]. This affects GitLab Community Edition (CE) and Enterprise Edition (EE) all versions before 16.4.4, all versions from 16.5 before 16.5.4, and all versions from 16.6 before 16.6.2. The vulnerability arises because an attacker can create a tag with a name that resembles a long Git hash, and the web interface will display seemingly secure commits but serve files that may contain malicious content when the tag is used as the download source [1].

Exploitation

An attacker can exploit this either by creating a repository that includes tags and versions containing malicious code, or by having Developer or higher permissions on an existing project and creating such tags. The attack does not require a race condition but relies on user interaction: a victim must download source code from the web interface using a tag, believing it corresponds to a specific commit. The attacker must first create the deceptive tag and ensure the tag points to a commit with malicious content [1].

Impact

Successful exploitation compromises file integrity: the victim downloads source code or installation packages that differ from the expected content, potentially including backdoors or other malicious code. The attacker can thereby introduce arbitrary malicious code into the victim's build or deployment pipeline, leading to a broader compromise of confidentiality, integrity, or availability depending on the injected payload [1].

Mitigation

GitLab released fixed versions 16.4.4, 16.5.4, and 16.6.2 on 2023-12-14 to address this issue. Users should upgrade to the latest patched version. No workaround is available for unpatched instances [1]. This CVE is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.