Vulnerability description
GitLab is a Git-based code hosting, version control, and collaborative development platform.
In GitLab CE/EE versions 15.11 to 15.11.6 and 16.0 to 16.0.1, when GitLab imports a GitHub repository, if the GitHub repository contains label colors of malicious JavaScript code constructed by the user, parsing these label colors may cause storage Type XSS vulnerability.
Vulnerability name | GitLab CE/EE has a stored XSS vulnerability |
---|---|
Vulnerability type | cross site scripting |
Discovery time | 2023/6/7 |
Vulnerability Breadth | wide |
MPS number | MPS-gl20-qxyv |
CVE number | CVE-2023-2442 |
CNVD number | - |
Sphere of influence
GitLab CE/EE@[16.0, 16.0.2)
GitLab CE/EE@[15.11, 15.11.7)
Repair plan
GitLabCE/EE can be upgraded to 16.0.2 or later according to https://gitlab-com.gitlab.io/support/toolbox/upgrade-path/
GitLabCE/EE can be upgraded to 15.11.7 or later according to https://gitlab-com.gitlab.io/support/toolbox/upgrade-path/
reference link
https://www.oscs1024.com/hd/MPS-gl20-qxyv
https://gitlab.com/gitlab-org/gitlab/-/issues/370873
https://hackerone.com/reports/1665658
About Murphy Security
Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from Baidu, Huawei, Wuyun and other enterprises. The company provides customers with a complete software supply chain security management platform, and provides software with a full life cycle around SBOM Security management, platform capabilities include software component analysis, source security management, container image detection, vulnerability intelligence early warning and commercial software supply chain access assessment and other products. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair.
Open source project: https://github.com/murphysecurity/murphysec/?sf=qbyj
The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.
Free code security detection tool: https://www.murphysec.com/?sf=qbyj
Free intelligence subscription: https://www.oscs1024.com/cm/?sf=qbyj