GitLab CE/EE Issue Status Manipulation Vulnerability in Public Projects

A vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 15.5 prior to 17.5.5, 17.6 prior to 17.6.3, and 17.7 prior to 17.7.1. This vulnerability allows unauthorized users to manipulate issue statuses in public projects. The issue arises because the 'ProcessCommitWorker' function, which automatically closes issues referenced in commit messages, can be exploited by spoofing the commit author's email. Attackers can forge commits that appear to come from authorized users, effectively closing issues without permission.

Impact

Exploitation of this vulnerability allows for unauthorized closure of issues in public projects, potentially disrupting workflows and causing confusion.

Reproduction

To reproduce this vulnerability, an attacker must have an authenticated account on a GitLab instance with public project access. The attacker can then forge a commit in a repository they own, using the email of a victim who has open issues in a public project. Once the commit is pushed, the referenced issue in the victim's project will be closed automatically, without authorization.

Remediation

GitLab has released patches for this vulnerability in versions 17.7.1, 17.6.3, and 17.5.5. Users are advised to update to the latest version immediately.