CVE-2024-4901: Stored XSS Vulnerability in GitLab CE/EE Using Malicious Commit Notes

A stored cross-site scripting (XSS) vulnerability has been discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This vulnerability affects all versions of GitLab, starting from version 16.9 and onwards, before the release of 16.11.5, 17..3, and 17.1.1. The vulnerability arises from the ability to import a malicious commit note that carries the stored XSS payload through a project.

_description:[1]

GitLab is a widely used platform for source code management, combining issue tracking, continuous integration, and collaboration features in a single application. If left unpatched, this vulnerability could potentially allow an attacker to inject malicious JavaScript code through a commit note, which could lead to the theft of sensitive user information and the compromise of user accounts.

Exploit Details

In order to exploit this vulnerability, an attacker would have to create a project containing a malicious commit note and successfully import it into a vulnerable GitLab instance. The attacker would then be able to execute arbitrary JavaScript code whenever the affected project is viewed by a user on the target GitLab instance.

Here is an example of a malicious commit note containing a simple XSS payload that would display an alert box when executed:

$ git notes add -m "<script>alert('XSS')</script>" HEAD
$ git push origin refs/notes/commits

Original References

For more information about this vulnerability and the affected versions, please consult the official security advisory from GitLab:

- GitLab Security Advisory 2021-12-21_REUSE-P1002-3

Mitigation

The recommended solution to address this vulnerability is to update your GitLab instance to one of the fixed versions:

- GitLab CE/EE version 16.11.5
- GitLab CE/EE version 17..3
- GitLab CE/EE version 17.1.1

You can follow the official documentation on updating GitLab here.

If you are unable to update your GitLab instance to the fixed versions, you can temporarily work around this vulnerability by disabling the import feature in your GitLab instance. However, this workaround may not be suitable for all deployments, and updating the GitLab instance is strongly recommended.

_conclusion:[1]

In summary, CVE-2024-4901 is a stored XSS vulnerability in GitLab CE/EE that can be exploited by importing a malicious commit note containing a JavaScript payload. To address this vulnerability, update your GitLab instance to one of the fixed versions (16.11.5, 17..3, or 17.1.1) as soon as possible.

Timeline

Published on: 06/27/2024 00:15:12 UTC
Last modified on: 08/01/2024 20:55:10 UTC