GitLab CE/EE Cross-Site Scripting Vulnerability in Kubernetes Proxy Endpoint

A cross-site scripting (XSS) vulnerability has been identified in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 15.10 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. The issue arises from the Kubernetes proxy endpoint, which fails to properly validate the 'Content-Type' header in responses. This oversight allows browsers to perform MIME sniffing and potentially render content as HTML, creating an XSS risk. Although the endpoint typically requires a CSRF token for protection, this can be bypassed on self-hosted instances under certain conditions, such as when the response includes a 'Cache-Control: max-age=604800' header, allowing the cached response to be served without the token.

Impact

Exploitation of this vulnerability leads to cross-site scripting, with the added risk of bypassing any Content Security Policy (CSP) that may be in place.

Reproduction

To reproduce this vulnerability, set up a self-hosted GitLab instance and enable CSP. After reconfiguring GitLab, log in as a regular user and create a new group. Add two projects, then configure a GitLab agent to connect to a Kubernetes cluster. Create an environment in the second project that includes a link to the Kubernetes proxy API. When the link is clicked, the XSS payload will execute, demonstrating the vulnerability.

Remediation

This vulnerability has been fixed in GitLab versions 17.9.1 and 17.8.4. Users should upgrade to these versions.