A security vulnerability has been discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) that allows an attacker to trigger a pipeline as another user under specific circumstances. This vulnerability affects all GitLab CE/EE versions starting from 15.8 to 16.11.6, from 17. to 17..4, and from 17.1 to 17.1.2. In this post, we will discuss the details of this vulnerability (CVE-2024-6385), its potential impact, and recommended mitigation steps.

Description

The vulnerability (CVE-2024-6385) lies in the improper validation of user permissions, which allows an attacker to trigger a new pipeline as another user without having proper permissions. This could lead to unauthorized access to sensitive information, unauthorized changes in the project, or misuse of resources by running arbitrary code in the pipeline. The attack requires the attacker to have access to the project, but not necessarily write permissions.

The Attack Scenario can be executed with the following code snippet

curl --header "PRIVATE-TOKEN: <your_private_token>" \
    --request POST \
    "https://gitlab.example.com/api/v4/projects/:id/trigger/pipeline"; \
    --data "ref=main&token=<attacker_token>&identity_impersonation=true&triggered_by=<victim_user_id>"

In the above code snippet, replace <your_private_token>, <attacker_token>, <victim_user_id>, and :id (project ID) with appropriate values.

Original References

[1] GitLab Security Advisory: https://about.gitlab.com/releases/2022/11/02/security-release-gitlab-13-12-9-released/
[2] Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6385

The attacker must first obtain a valid private token

2. With the private token, the attacker can create a new pipeline using the API, and impersonate another user

For GitLab 17.1.x, upgrade to 17.1.2

It is strongly recommended to upgrade your GitLab CE/EE instance to the latest patched version as soon as possible. Additionally, review your pipeline usage and ensure that proper access controls and user permissions are in place.

Conclusion

The CVE-2024-6385 vulnerability in GitLab CE/EE allows an attacker to trigger a pipeline as another user under certain circumstances. This may lead to unauthorized access, project changes, and resource misuse. It is crucial to update your GitLab instances to the patched versions and validate the access controls to safeguard your projects against potential exploitation.

Timeline

Published on: 07/11/2024 07:15:06 UTC
Last modified on: 07/12/2024 16:49:14 UTC