CVE-2019-12825: Unauthorized Access to Container Registry of other groups

, CVE-2019-12825: Unauthorized Access to Container Registry of other groups

Overview

  • Vendor: GitLab Inc.
  • Product: Gitlab Enterprise (gitlab.com)
  • Version: 12.0.0-pre
  • Vulnerability: Relected Cross-Site Scripting
  • Fixed Version: 12.5

Background

GitLab provides a Git-repository manager with on top services and tools like a web-based DevOps lifecycle tool, wiki, issue-tracking and CI/CD pipeline features. GitLab is using an open-source license and developed by GitLab Inc.

From the vendor’s website: “GitLab is the first single application for the entire DevOps lifecycle. From planning to monitoring GitLab covers every stage and additionally lets you manage and secure across stages. Only GitLab enables Concurrent DevOps, unlocking organizations from the constraints of the toolchain. GitLab provides unmatched visibility, higher levels of efficiency, and comprehensive governance. This makes the software lifecycle 200% faster, radically improving the speed of business.”

Issue Description

When a user changes the path of a group in Gitlab, Docker registries are not adapted, leaving them in the old namespace. They are not protected and are available to all other users with no previous access to the repo.

The following steps illustrate the inadequate access control to docker registry:

  • create two Gitlab user (pentest1, pentest2) with ssh keys
username = pentest1
mail = pentest1@groupofdestruction.de
pw = ...[SNIP]...

username = pentest2
mail = pentest2@groupofdestruction.de
pw = ...[SNIP]...
build:docker:
stage: build
image: docker:18
services:
  - docker:dind
before_script:
  - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD \
    $CI_REGISTRY
script:
  - docker pull centos:7
  - docker pull centos:6
  - docker pull oraclelinux:7
  - docker tag docker.io/centos:7 $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
  - docker tag docker.io/centos:7 $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
  - docker tag docker.io/centos:6 $CI_REGISTRY_IMAGE:2.12.1
  - docker tag docker.io/oraclelinux:7 $CI_REGISTRY_IMAGE:2.13.1

  - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
  - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
  - docker push $CI_REGISTRY_IMAGE:2.12.1
  - docker push $CI_REGISTRY_IMAGE:2.13.1

CVE

CVE-2019-12825

CVSSv3 Base Score

CVSS Base Score: 5.6

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Credit

Patrick Muench of SVA System Vertrieb Alexander GmbH

Christoph Hartmann of Mondoo, Inc.

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

The contents of this advisory are copyright (c) 2019 Mondoo, Inc. & SVA System Vertrieb Alexander GmbH and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

War dieser Artikel für dich interessant?