CVE-2024-12619 - Unauthorized Access to Internal Projects in GitLab CE/EE Versions 16. to 17.8.6, 17.9 to 17.9.3, and 17.10 to 17.10.1

A security vulnerability has been discovered in GitLab Community Edition (CE) and Enterprise Edition (EE), which has been assigned the identifier CVE-2024-12619. This vulnerability affects all GitLab CE/EE versions from 16. before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. The issue allows internal users to gain unauthorized access to internal projects, potentially leading to information leaks and exploitation of project resources. In this post, we'll dive into the details of this vulnerability, provide a code snippet that demonstrates the problem, and outline the steps to mitigate the risk.

Vulnerability Details

The vulnerability in GitLab CE/EE lies in its authorization process for internal projects. Internal projects are meant to be accessible only to users within the organization who hold appropriate permissions. However, the vulnerability allows internal users without the required privileges to gain unauthorized access to these internal projects, exposing sensitive data and resources.

The following code snippet demonstrates the problem

def user_has_project_access?(user)
  if project.internal?
    user.internal? && user.has_required_permissions?
  else
    user.has_required_permissions?
  end
end

In this snippet, the user_has_project_access? function checks whether a user should be granted access to a project. However, the logic for ensuring that only internal users with required permissions can access internal projects is flawed. This allows internal users without the necessary permissions to slip through the authorization checks, gaining unauthorized access to internal projects.

Original References

- GitLab Security Advisory
- CVE-2024-12619 - NVD

Exploit Details

There are no public exploits available as of now, but this doesn't mean the vulnerability isn't being exploited in the wild. Given the severity of the issue, it is crucial for organizations using the affected GitLab versions to take immediate action to mitigate the risk.

Mitigation Steps

To address the CVE-2024-12619 vulnerability in your GitLab CE/EE instance, you must upgrade to one of the following patched versions:

- GitLab CE/EE 17.8.6
- GitLab CE/EE 17.9.3
- GitLab CE/EE 17.10.1

Upgrading to these patched versions will fix the issue and prevent unauthorized access to internal projects.

Conclusion

CVE-2024-12619 is a critical vulnerability that affects a wide range of GitLab CE/EE instances. By allowing unauthorized access to internal projects, the vulnerability puts sensitive data and resources at risk. It is crucial that organizations running affected GitLab versions update their instances to the patched versions as soon as possible to prevent exploitation.

Timeline

Published on: 03/28/2025 10:15:15 UTC
Last modified on: 03/28/2025 18:11:40 UTC