GitLab CE/EE Unauthenticated Access to Runtime Profiling Data Vulnerability

A vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 17.9 prior to 17.9.6, and 17.10 prior to 17.10.4. The issue allows unauthenticated users to access runtime profiling data from a specific service, which could be exploited to retrieve sensitive information about the application's performance and resource usage.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive runtime profiling data, which may include information about the application's performance and resource usage patterns.

Reproduction

The vulnerability can be reproduced by installing GitLab EE Omnibus version 17.9.1. After the installation, the 'pprof' debugging endpoint will be accessible on a random TCP port higher than 32768, without any authentication. This can be verified by using 'netstat' to find the open port or by scanning the server with 'nmap'. Once the port is identified, the 'pprof' data can be accessed using 'go tool pprof' or 'curl'.

Remediation

Users can deactivate the exposed 'pprof' port by setting 'gitlab_workhorse[pprof_listen_addr]' to 'null' in the 'gitlab.rb' configuration file.