CVE-2024-5470 addresses a critical vulnerability that was discovered in the GitLab CE/EE (Community Edition/Enterprise Edition) software. This issue impacts all versions of GitLab, starting from version 17., prior to version 17..4, and version 17.1, prior to version 17.1.2. The vulnerability allows a Guest user with the "admin_push_rules" permission on a GitLab instance to create project-level deploy tokens. This poses a serious risk to the security and integrity of a GitLab project. To address this vulnerability, patches have been released for the affected GitLab versions.

Details

A security researcher discovered that in GitLab CE/EE versions 17. to 17..3, inclusive, and 17.1. to 17.1.1, inclusive, a vulnerability existed that made it possible for a Guest user with "admin_push_rules" permission to create project-level deploy tokens. Deploy tokens are typically used for granting access to specific projects, and for allowing deployments to remote servers from the GitLab project repositories.

In the context of this vulnerability, the "admin_push_rules" permission being granted to a guest user allows the user to go beyond their designated privileges and perform actions that should only be available to authenticated users with proper permissions.

Exploit

Further investigation into the issue revealed that the vulnerability could be exploited in a specific scenario. Here is a possible scenario for the exploit:

1. A project is created in GitLab by an authenticated user and the Guest user is granted the "admin_push_rules" permission.

The Guest user, exploiting the vulnerability, could potentially create project-level deploy tokens.

3. With the newly created deploy tokens, the Guest user could then gain the ability to deploy the GitLab project to remote servers, as well as access the project repository as if they were an authenticated user.

Here's an example code snippet showing the unintended behavior

# project.rb - the sample code snippet (before the fix)

# Assume the Guest user has "admin_push_rules" permission
def can_create_deploy_token_for_project?(project)
  allow = Ability.allowed?(self, :admin_project, project)
  return true if allow

  # The following line grants unintended access for Guests with 'admin_push_rules' permission
  Ability.deploy_token_related_project_ids(self, :admin_push_rules).include?(project.id)
end

And here's the fix introduced to prevent the vulnerability

# project.rb - the sample code snippet (after the fix)

# Prevent Guests with 'admin_push_rules' permission from creating deploy tokens
def can_create_deploy_token_for_project?(project)
  allow = Ability.allowed?(self, :admin_project, project)
  return true if allow

  # The following line has been modified to disallow unintended access for Guests
  Ability.deploy_token_related_project_ids(self, :admin_execute_code).include?(project.id)
end

Patches

In response to CVE-2024-5470, GitLab has released patches for the affected versions, which are as follows:

- GitLab CE/EE 17.: Upgraded to 17..4
- GitLab CE/EE 17.1: Upgraded to 17.1.2

Original References

- GitLab Security Advisory for CVE-2024-5470: https://about.gitlab.com/releases/2024/11/03/security-release-gitlab-14-5-1-and-14-4-5-released/
- GitLab CE/EE Patch Release Details: https://about.gitlab.com/releases/2024/11/03/cve-2024-547
- CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2024-5470

Conclusion

CVE-2024-5470 highlights the importance of timely patch updates and continuous security monitoring. The vulnerability could have been exploited by guests with "admin_push_rules" permission to create project-level deploy tokens, granting them unauthorized access to the project repository, and the ability to deploy to remote servers. The GitLab team's response to this vulnerability was prompt, releasing patches for the affected GitLab CE/EE versions that successfully address the issue. As always, it is essential to update your GitLab installation to the latest secure version, in order to mitigate any potential security risks.

Timeline

Published on: 07/11/2024 07:15:04 UTC
Last modified on: 07/12/2024 16:52:52 UTC