CVE-2023-3399
📋 TL;DR
This vulnerability allows unauthorized project or group members in GitLab EE to read CI/CD variables through custom project templates. It affects all GitLab EE installations running vulnerable versions. Attackers can access sensitive credentials and secrets stored in CI/CD variables.
💻 Affected Systems
- GitLab EE
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of CI/CD pipelines, credential theft leading to lateral movement, and potential supply chain attacks through stolen deployment secrets.
Likely Case
Unauthorized access to sensitive CI/CD variables containing API keys, tokens, passwords, and other credentials used in build and deployment processes.
If Mitigated
Limited impact if proper access controls and secret management are already implemented, though unauthorized access to any CI/CD variables remains a concern.
🎯 Exploit Status
Exploitation requires authenticated access as a project/group member, but the vulnerability allows privilege escalation beyond intended permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.3.6, 16.4.2, 16.5.1
Vendor Advisory: https://about.gitlab.com/releases/2023/06/22/critical-security-release-gitlab-16-5-1-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab EE version 16.3.6, 16.4.2, or 16.5.1 depending on your current version track. 3. Restart GitLab services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable custom project templates
linuxTemporarily disable custom project templates feature to prevent exploitation
gitlab-rails runner "ApplicationSetting.current.update!(custom_project_templates_group_id: nil)"
🧯 If You Can't Patch
- Review and rotate all CI/CD variables and secrets stored in GitLab
- Implement strict access controls and audit project/group membership regularly
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via Admin Area or command: sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Confirm version is 16.3.6, 16.4.2, or 16.5.1 or higher, and test that unauthorized members cannot access CI/CD variables via custom templates📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to project template APIs
- Multiple failed or successful attempts to access CI/CD variables from unauthorized accounts
Network Indicators:
- HTTP requests to /api/v4/projects/:id/templates or similar template endpoints from unexpected sources
SIEM Query:
source="gitlab" AND (uri_path="/api/v4/projects/*/templates" OR message="template" AND "variable")