GitLab EE Google Cloud IAM Integration Input Validation Vulnerability Allowing Code Injection

A vulnerability exists in GitLab EE versions 17.2 prior to 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. The issue arises from inadequate input validation in the Google Cloud IAM integration feature, potentially allowing a Maintainer to inject malicious code.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution on the victim's machine, executed as the victim user. The injected payload could also include sudo commands, which might be executed directly or prompt the user for sudo rights, depending on the user's recent sudo activity.

Reproduction

To reproduce this vulnerability, a group with an Ultimate license is required. First, create two users with Maintainer roles: one as the 'attacker' and the other as the 'victim'. The 'attacker' should log in and navigate to the Google Cloud IAM integration settings for the group. Here, they can inject a payload into the 'Pool ID' field, taking advantage of the lack of input restrictions. After logging out and having the 'victim' user log in, the injected payload can be executed by copying the generated command from the Google Artifact Management integration settings.

Remediation

Users can update to GitLab EE versions 17.7.7, 17.8.5, or 17.9.2 to address this vulnerability.