CVE-2024-2191: Merge Request Title Visibility Vulnerability in GitLab CE/EE

A critical vulnerability (CVE-2024-2191) was discovered in GitLab CE/EE, affecting all versions from 16.9 to 17.1.1, which could expose merge request titles publicly, despite the project settings restricting visibility to members only. This post will delve into the details of the exploit, the affected GitLab versions, and the steps necessary to mitigate this vulnerability.

Affected Versions

- All GitLab CE/EE versions starting from 16.9 prior to 16.11.5
- All GitLab CE/EE versions starting from 17. prior to 17..3
- All GitLab CE/EE versions starting from 17.1 prior to 17.1.1

Exploit Details

The root cause of the vulnerability is that the merge request title is not correctly hidden when a project's visibility settings restrict access to members only. As a result, unauthorized users may be able to view the title when they should not have permission to do so.

Consider the following code snippet representing a vulnerable implementation in GitLab

def get_merge_request_title(merge_request):
    if merge_request.project.is_public():
        return merge_request.title
    elif user.is_member_of(merge_request.project):
        return merge_request.title
    else:
        return 'Restricted Access'

The issue can be seen in the get_merge_request_title function. The merge request title is returned if the project is public or if the user is a member. However, for all other cases, it returns "Restricted Access", representing restricted visibility.

A potential fix for this vulnerability is to ensure that merge request titles are only visible to authorized users:

def get_merge_request_title(merge_request, user):
    if merge_request.project.is_public():
        return merge_request.title
    elif user and user.is_member_of(merge_request.project):
        return merge_request.title
    else:
        return 'Restricted Access'

By passing the user variable to the get_merge_request_title function, we can now ensure that only authorized users will be able to access the merge request title.

Original References

- GitLab Security Advisory: CVE-2024-2191
- GitLab Merge Request: Fix visibility of merge request titles

Upgrade GitLab to the latest patch version mentioned in the "Affected Versions" section.

2. Verify project visibility settings to ensure that the "Merge Requests" section is set to "Members Only" where necessary.

Conclusion

The CVE-2024-2191 vulnerability poses a significant risk to GitLab users, as private project information could be exposed to unauthorized individuals. By updating your GitLab instance to the latest version, incorporating the provided code snippet, and following other recommended security practices, you can ensure that your projects are safe from this critical vulnerability in GitLab CE/EE.

Timeline

Published on: 06/27/2024 00:15:10 UTC
Last modified on: 06/28/2024 13:23:23 UTC