GitLab EE Harbor Integration Command Injection Vulnerability

A command injection vulnerability has been identified in GitLab EE versions 14.9 prior to 17.8.6, 17.9 prior to 17.8.3, and 17.10 prior to 17.10.1. The issue arises from inadequate input validation in the Harbor registry integration, potentially allowing a maintainer to inject malicious code into CLI commands displayed in the user interface. This could lead to arbitrary command execution on the machine of a user interacting with the injected command, possibly with elevated privileges if the user has sudo access.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected user's machine, with the potential for elevated privileges if the user is in a sudoers role.

Reproduction

To reproduce this vulnerability, first create a new project in GitLab and navigate to the Harbor integration settings. Add a fake Harbor server URL and inject a command into the project name field. After saving the integration, go to the Harbor repositories page for the project. The injected command will be executed when copying and pasting the CLI command into a terminal.

Remediation

GitLab has released patches for this vulnerability in versions 17.8.6, 17.9.3, and 17.10.1. Users can update to these versions to address the issue.