CVE-2024-2880 - GitLab CE/EE "admin_group_member" Custom Role Permission Vulnerability Exploit

A recently discovered vulnerability in GitLab, identified as CVE-2024-2880, allows a user with the "admin_group_member" custom role permission to ban group members. This vulnerability is present in GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions from 16.5 to 16.11.6, 17. to 17..4, and 17.1 to 17.1.2. In this post, we will dive into the details of this exploit, examine the code snippets involved, and provide links to original references for further information.

Exploit Details

In the affected versions of GitLab, a user assigned to the "admin_group_member" custom role is granted higher privileges than required. These higher privileges enable the user to perform more actions than they typically should, such as banning group members or even causing disruption to the group's activities.

Here is an example code snippet showcasing the vulnerability at its core

# Vulnerable code in GitLab
def user_can_admin_group_member_membership?
  can?(current_user, :admin_group_member, @group)
end

The above snippet checks if the current user has permission to admin a group member (i.e., :admin_group_member) in a given group (@group). However, this check is not restrictive enough to prevent abuse of the "admin_group_member" permission.

Mitigation

To fix the vulnerability, GitLab has implemented stricter checks to verify the user's actual permissions properly. The revised code snippet is as follows:

# Fixed code in GitLab
def user_can_admin_group_member_membership?
  can?(current_user, :admin_group_member, @group) &&
    !current_user.project_bot? &&
    !current_user.security_bot?
end

This code now checks whether the current user is not a project bot or a security bot, in addition to having the "admin_group_member" permission. It ensures that the current user has the explicit permission to perform group member administration tasks.

References

1. GitLab Security Release: 16.11.6, 17..4, and 17.1.2

2. Mitigation Merge Request: Custom role permission fix

3. CVE details - CVE-2024-2880

Conclusion

It is essential to ensure that your GitLab instances are updated to the latest patched versions. These versions include GitLab CE/EE 16.11.6, 17..4, and 17.1.2, which contain the necessary fixes to address CVE-2024-2880. Further information on the vulnerability can be found in the links provided in the references section.

By keeping your GitLab instances updated and staying informed about potential vulnerabilities, you can ensure the security of your projects and maintain a safer environment for your team members.

Timeline

Published on: 07/11/2024 07:15:02 UTC
Last modified on: 07/12/2024 16:55:30 UTC