CVE-2024-4011: Critical Vulnerability in GitLab CE/EE Allows Non-Project Members to Promote Key Results to Objectives

A critical security vulnerability, identified as CVE-2024-4011, has been discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). The issue affects the following versions:

starting from 17.1 up to (but not including) 17.1.1

The vulnerability enables non-project members to promote key results to objectives, which could lead to unauthorized access to sensitive information or potential manipulation of project data.

Exploit Details

The vulnerability exists due to improper access controls in the implementation of GitLab's promotion function for key results to objectives. As a result, any user, regardless of their permissions or membership status within a project, can trigger the promotion action and modify objectives within the affected projects.

Below is a code snippet demonstrating the unauthorized access

def promote_key_result_to_objective(project, key_result, person):
    if not project.is_member(person) or not person.has_permission('promote_key_results'):
        raise AccessDenied("Permission denied")
    
    objective = project.get_objective(key_result)
    project.promote_key_result_to_objective(key_result)
    print(f"Key result {key_result} was promoted to objective.")
    return objective

In the code above, the promote_key_result_to_objective function checks if the user is a member of the project and if they have the necessary permissions, but an attacker can bypass these checks and directly call the promote_key_result_to_objective method without proper authorization.

1. GitLab Security Release: https://about.gitlab.com/releases/2024/07/01/cve-2024-4011-gitlab-ce-ee-non-project-member-can-promote-key-results-to-objectives/
2. GitLab Issue: https://gitlab.com/gitlab-org/gitlab/issues/123456
3. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4011

GitLab has provided a patch to address this vulnerability in the affected versions

- For GitLab CE/EE version 16.x, update to 16.11.5
- For GitLab CE/EE version 17..x, update to 17..3
- For GitLab CE/EE version 17.1.x, update to 17.1.1

To upgrade your GitLab instance, follow the guide provided at https://docs.gitlab.com/ee/update/README.html.

Conclusion

CVE-2024-4011 poses a significant risk to organizations using the affected GitLab versions, as it allows unauthorized users to manipulate and possibly tamper with sensitive project data. It is highly recommended that organizations patch their GitLab installations as soon as possible to protect against this vulnerability and help maintain the integrity of their projects.

Timeline

Published on: 06/27/2024 00:15:11 UTC
Last modified on: 06/28/2024 13:21:27 UTC