Keypoints
- Vulnerability: Stored XSS in GitLab’s rich text editor autocomplete for issue references (CVE-2024-2279) due to missing escaping when suggestions are rendered.
- Affected versions: GitLab CE/EE starting from 16.7 up to 16.8.6, 16.9 before 16.9.4, and 16.10 before 16.10.2.
- Prerequisites: attacker must have network access and rights to create issues in the target project to inject the malicious issue title.
- Exploit mechanics: attacker creates an issue title containing a crafted payload (e.g., an tag pointing to an attacker server); the payload executes when a victim types “#” to trigger autocomplete.
- Impact: arbitrary actions can run in the victim’s browser (such as fetching resources from attacker-controlled servers), enabling information leakage or further client-side actions.
- Fix and protections: GitLab patched the issue by applying Lodash’s escape method to suggestions; SonicWall released IPS signatures 4383 and 4385 to detect exploitation attempts.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The attacker exploits a web-app input validation flaw in GitLab’s autocomplete for issue references by creating a crafted issue title that later appears in suggestions. (‘This vulnerability arises due to a flaw in the input validation mechanism while displaying suggestions to the user using the feature called ‘autocomplete for issues reference’ in the rich text editor.’)
- [T1203] Exploitation for Client Execution – The stored payload executes in the victim’s browser when autocomplete is triggered (typing “#”), enabling arbitrary client-side actions. (‘the payload will be triggered… which leads to an automatic execution of arbitrary action specified in the payload.’)
- [T1059.007] Command and Scripting Interpreter: JavaScript – The XSS allows execution of script-level actions (for example, making requests to attacker-controlled resources) within the user’s browser context. (‘This could include actions such as requesting a resource from the attacker-controlled server.’)
Indicators of Compromise
- [CVE] vulnerability identifier – CVE-2024-2279
- [Software versions] affected GitLab releases – 16.7 → 16.8.6, 16.9 (before 16.9.4), 16.10 (before 16.10.2)
- [File name] malicious resource hosted by attacker – x.svg
- [Payload snippet] example injected issue title – ‘Malicious issue <img src=”http[:]//<attacker_controlled_server>/x.svg”>’
- [Access logs] evidence of exploitation – web server access requests for the attacker’s hosted resource (shown in SonicWall’s analysis figures)
This issue is caused by inadequate escaping when the backend returns autocomplete suggestions for issue references: when a user types “#”, the suggestions list can include unescaped issue titles. An attacker with rights to create issues can store a crafted title containing HTML (for example, an tag referencing an attacker-hosted x.svg). Because the autocomplete rendering did not escape special characters, the injected content is inserted into the DOM and can execute in the context of a browsing user when they trigger autocomplete.
To exploit, the attacker creates the malicious issue containing a payload such as: Malicious issue <img src=”http:///x.svg”> and hosts x.svg on their server. The victim merely needs to type “#” in a rich-text field (e.g., a comment box) to cause the autocomplete to render the malicious title and execute the payload; successful triggers can be observed as access requests to the attacker’s server in web logs.
Mitigation: GitLab patched the defect by applying Lodash’s escape function to autocomplete suggestions so special characters (&, , “, ‘) are replaced with HTML entities before insertion into the DOM. Administrators should upgrade affected instances to the fixed releases (per the GitLab advisory). SonicWall also released IPS signatures (4383 and 4385) to detect related exploitation attempts.
Read more: https://blog.sonicwall.com/en-us/2024/04/gitlab-xss-via-autocomplete-results/