CVE-2024-12292 - Sensitive Information Leakage in GitLab CE/EE due to GraphQL Mutation Logging Vulnerability

A security vulnerability has been discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) which affects all versions starting from 11. prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2. This issue, identified as CVE-2024-12292, can result in sensitive information leakage due to improper logging of GraphQL mutation requests. This post will provide an in-depth analysis of the vulnerability, along with code snippets, original references, and details of the exploit.

Vulnerability Details

In the affected versions of GitLab, sensitive information passed in GraphQL mutation requests may have been retained in the GraphQL logs. This can result in unauthorized access to confidential data, potentially exposing user credentials or other sensitive details. Exploiting this vulnerability does not require any special authentication or privileges, allowing any user with access to the logs to potentially retrieve sensitive data.

Here is a code snippet demonstrating the issue in the affected versions

mutation {
  updateUserEmail(input: {
    user_id: $user_id,
    email: $new_email,
    password: $password
  }) {
    success
    errors
  }
}

In this example, the updateUserEmail mutation is called with the user ID, new email, and password as input variables. These values, including the password, can be logged and stored in the GraphQL logs, making them accessible to unauthorized users.

Original References

1. GitLab Security Advisory: Sensitive information disclosure in GraphQL logs - This is the official security advisory from GitLab which provides information on the affected versions and recommended actions to mitigate the issue.

2. CVE-2024-12292 details in NVD: CVE-2024-12292 - This link provides further details of the vulnerability from the National Vulnerability Database (NVD).

Exploit Details

An attacker can exploit this vulnerability by sending malicious GraphQL mutation requests containing sensitive information and subsequently accessing the GraphQL logs to obtain the logged data. The attacker can then use this information for further malicious activities, such as credential theft or unauthorized access to user accounts.

Mitigation

To protect your GitLab instance from this vulnerability, it is recommended to update to one of the fixed versions (17.4.6, 17.5.4, or 17.6.2) as mentioned in the GitLab Security Advisory. Additionally, be sure to monitor your GraphQL logs and remove or redact sensitive information using log filtering as necessary.

Conclusion

CVE-2024-12292 is a critical security vulnerability affecting GitLab CE/EE that can result in sensitive information leakage due to improper logging of GraphQL mutation requests. To safeguard your GitLab instance, it is imperative to update to the patched versions and monitor your logs for any potential exposure of sensitive data. Stay vigilant to protect your valuable information and maintain the security and privacy of your users.

Timeline

Published on: 12/12/2024 12:15:22 UTC