CVE-2024-6323 - Unauthorized Access to Private Repository Content via Global Search in GitLab EE

Hey all,

I've come across a serious security vulnerability that affects GitLab EE installations. If you're using GitLab EE, please read this post carefully and take action immediately to patch and protect your systems.

CVE-2024-6323 describes improper authorization in the global search feature of GitLab EE. The vulnerability affects all versions from 16.11 prior to 16.11.5, 17. prior to 17..3, and 17.1 prior to 17.1.1. In summary, if an attacker leverages this vulnerability, they can potentially leak the content of a private repository within public projects.

Through this post, I'll break down the vulnerability, provide you with code snippets for reference, and link you to the original GitLab advisory along with patch details. My aim is to provide you with all necessary information in easy-to-understand American language. Let's start!

Background on CVE-2024-6323

GitLab EE (Enterprise Edition) provides functionality to make it easier for users to search for code and other entities across various projects. This is done through its global search feature which uses Elasticsearch, a search and analytics engine, to index the content of repositories.

The vulnerability, CVE-2024-6323, is due to an insufficient authorization mechanism in the global search functionality. This poor design ultimately allows an attacker to access the content of private repositories that are not accessible to the public.

Improper authorization in global search: A Code Snippet

Before we dive into the exploit details, let me first share a snippet of code that will help you understand the issue. The code below highlights the lack of proper authorization checks when querying for Elasticsearch results:

# Snippet of vulnerable code in GitLab EE's Global Search
def execute
  allowed_search_ids = current_user.projects.pluck(:id)

  # Vulnerable Code Block without proper authorization mechanisms
  gitlab_search_results = Elasticsearch::Model
    .search(query_string, allowed_search_ids)
    .records
    .includes(:project)

As you can see from the above code, the allowed_search_ids only checks the IDs of projects the current user has access to, but it does not verify if the user has the correct permissions for private repositories.

Exploiting CVE-2024-6323

Considering the vulnerable code, an attacker could exploit CVE-2024-6323 by performing the following steps:

Create a public project, if not already available.

3. Use the global search feature and manipulate it to search for content in private repositories that should not be accessible.

By accomplishing these steps, an attacker can leak sensitive content from private repositories in public projects.

Mitigation and Patching

Now that you're aware of CVE-2024-6323 and its potential danger, it's imperative to take corrective action and protect your GitLab EE installations. The GitLab team has released patch updates to address this vulnerability. You should upgrade to the following patched versions, depending on your current version:

GitLab 17.1.x: Upgrade to GitLab 17.1.1 or later.

For more information, I highly recommend reviewing the original GitLab security advisory here.

I hope you find this post helpful and take immediate action to safeguard your GitLab installations from unauthorized access to private repository content through the global search functionality. Stay secure, everyone!

Timeline

Published on: 06/27/2024 00:15:13 UTC
Last modified on: 06/28/2024 13:15:19 UTC