CVE-2024-5067: GitLab EE Project-Level Analytics Settings Leak Vulnerability and Exploit Details

A recently discovered security vulnerability listed as CVE-2024-5067 affects GitLab Enterprise Edition (EE) by exposing certain project-level analytics settings to group members with Developer or higher roles. This vulnerability affects all versions starting from 16.11 prior to 17..5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1. In this blog post, we will discuss the details of the vulnerability, its exploit, and references to mitigate the issue.

Vulnerability Details

GitLab is a popular web-based DevOps lifecycle tool that provides a Git repository manager, enabling teams to collaborate on code, manage projects and track issues. GitLab Enterprise Edition is the commercially supported version of GitLab and includes additional features tailored for larger organizations.

The CVE-2024-5067 vulnerability was discovered in GitLab EE's project-level analytics settings. The settings could be leaked in the Document Object Model (DOM) to group members with Developer or higher roles. The DOM is an application programming interface (API) for HTML and XML documents that allow scripts to manipulate their structure and content.

Exploit Details

To exploit this vulnerability, an attacker would need to have a project member account with Developer or higher roles in the targeted GitLab instance. By analyzing the DOM of the affected analytics pages, the attacker can retrieve sensitive information related to project-level analytics settings, which should not normally be accessible by unauthorized users.

The following code snippet demonstrates how this sensitive information could be leaked

// In an affected GitLab EE instance:
const projectAnalyticsSettings = document.querySelector(
  'meta[name="project-analytics-settings"]'
).content;

// Parsing the JSON content:
const settings = JSON.parse(projectAnalyticsSettings);

// Accessing sensitive information:
console.log("apiKey:", settings.apiKey);
console.log("requestDataInterval:", settings.requestDataInterval);

This code can be run in the browser's developer console to extract sensitive information from the project-level analytics settings.

Mitigation and Remediation

GitLab has already released patches to fix this vulnerability. Affected users are strongly recommended to update their GitLab EE instances to the latest version according to their current release channel:

For users on the 17.2 channel, update to version 17.2.1 or later

Check the following official references for more information on the security release and how to apply the necessary patches:

- GitLab Security Release: 17..5, 17.1.3, and 17.2.1
- GitLab Update Guide: Updating GitLab

Conclusion

In this post, we discussed the details of the CVE-2024-5067 vulnerability affecting GitLab EE, a worrisome issue that could lead to unauthorized access to sensitive project-level analytics settings. Organizations running GitLab EE should take immediate action to address this vulnerability by updating to patched versions and reviewing access controls to further reduce potential exposure. Always keep your software up to date and monitor security channels for the latest information on vulnerabilities and patches.

Timeline

Published on: 07/24/2024 23:15:09 UTC
Last modified on: 07/26/2024 15:33:01 UTC