GitLab Wiki RCE via unsafe inline Kramdown options in markup rendering

Key Information Summary Vulnerability Title RCE via unsafe inline Kramdown options when rendering certain Wiki pages Vulnerability Description Summary: When rendering wiki content using specific extensions (e.g., ), calling invokes from the gem, which may lead to file upload. This vulnerability can be exploited by checking out wiki pages, committing files, and pushing changes. Technical Details: - After Kramdown is loaded, it will ultimately be rendered via the by calling . - Kramdown has a special extension that allows inline option settings, such as setting syntax highlighting options via . - The vulnerability exploits the option. Severity and Labels Labels: - CWE-94 - Weakness - HijackOne create - editor [DEPRECATED] - dev - group - priority 1 Timeline Created: Mar 14, 2021 Closed: Mar 18, 2021 Fix and Development Development: - Removed Kramdown patch and upgraded to v2.3.1 gem. - Render Kramdown via GitLab Markup. - Created pipeline/filter for Atlassian Docume... !32362 (merged) Participants 20 participants mentioned in the thread Status Status: Closed Resolved: Mar 18, 2021 Other Important Notes The vulnerability report was submitted via HackerOne. The GitLab team responded quickly and implemented both temporary and permanent fixes. A CVE ID has been requested for this vulnerability.

Goal Reached Thanks to every supporter — we hit 100%!

GitLab Wiki RCE via unsafe inline Kramdown options in markup rendering