CVE-2023-2442 – This stored cross-site scripting (XSS) vulnerab... (How to Fix)

Q: What is the severity of CVE-2023-2442?

CVE-2023-2442 has a CVSS score of 8.7 (HIGH). This stored cross-site scripting (XSS) vulnerability in GitLab allows attackers to inject malicious scripts into merge requests. When victims view these crafted merge requests, the scripts execute in their browser, enabling attackers to perform actions on behalf of authenticated users. All GitLab CE/EE instances running affected versions are vulnerable.

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in GitLab allows attackers to inject malicious scripts into merge requests. When victims view these crafted merge requests, the scripts execute in their browser, enabling attackers to perform actions on behalf of authenticated users. All GitLab CE/EE instances running affected versions are vulnerable.

💻 Affected Systems

Products:

GitLab Community Edition
GitLab Enterprise Edition

Versions: All versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2

Operating Systems: All platforms running GitLab

Default Config Vulnerable: ⚠️ Yes

Notes: All GitLab deployments with merge request functionality enabled are affected. No special configuration required for exploitation.

📦 What is this software?

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform account takeover, exfiltrate sensitive data, or execute administrative actions on behalf of victims, potentially compromising the entire GitLab instance and connected systems.

🟠

Likely Case

Attackers with repository access could create malicious merge requests to steal credentials or session tokens from other developers and administrators who review them.

🟢

If Mitigated

With proper content security policies and input validation, the impact is limited to isolated session compromise rather than full system takeover.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires repository access to create merge requests. The vulnerability is well-documented in public reports with technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 15.11.7, 16.0.2, or later

Vendor Advisory: https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2442.json

Restart Required: Yes

Instructions:

1. Backup your GitLab instance. 2. Update to GitLab 15.11.7 or 16.0.2+ using your package manager. 3. Run 'gitlab-ctl reconfigure'. 4. Restart GitLab services with 'gitlab-ctl restart'.

🔧 Temporary Workarounds

Disable merge request creation

linux

Temporarily restrict merge request creation to trusted users only

gitlab-rails console
Project.update_all(merge_requests_access_level: 0)

Implement Content Security Policy

linux

Add CSP headers to block inline script execution

Add to GitLab configuration: nginx['custom_gitlab_server_config'] = "add_header Content-Security-Policy \"default-src 'self'; script-src 'self'\";"

🧯 If You Can't Patch

Restrict merge request creation to administrators only
Implement web application firewall rules to block XSS payloads in merge requests

🔍 How to Verify

Check if Vulnerable:

Check GitLab version with: cat /opt/gitlab/version-manifest.txt | grep gitlab

Check Version:

gitlab-rake gitlab:env:info | grep Version

Verify Fix Applied:

Confirm version is 15.11.7+, 16.0.2+, or later with: gitlab-rake gitlab:env:info | grep Version

📡 Detection & Monitoring

Log Indicators:

Unusual merge request creation patterns
JavaScript payloads in merge request descriptions or comments
Multiple failed authentication attempts following merge request views

Network Indicators:

Outbound connections to suspicious domains from GitLab server
Unexplained data exfiltration patterns

SIEM Query:

source="gitlab" AND ("merge request" AND (javascript: OR data: OR <script))

📊 Metadata

CVE ID: CVE-2023-2442

CVSS v3 Score: 8.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-79

Published: June 7, 2023

Last Updated: January 7, 2025

🔗 References

https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2442.json Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/409346 Broken Link
https://hackerone.com/reports/1965750 Permissions Required,Third Party Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2442.json Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/409346 Broken Link
https://hackerone.com/reports/1965750 Permissions Required,Third Party Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/409346 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2442, you might also want to check these: