A recently discovered issue in GitLab (CVE-2024-6595) affects GitLab Community Edition (CE) and Enterprise Edition (EE) installations across several version ranges, making it possible for an attacker to upload a Node Package Manager (NPM) package with conflicting package data. This post explores this vulnerability, discussing its root cause, how it works, what security risks it poses to GitLab installations, and what you can do to protect your system.

All versions starting from 17.1 prior to 17.1.2.

When a user uploads a new NPM package, GitLab should compare the package metadata against the existing packages within the repository. However, due to this vulnerability, GitLab fails to perform this check correctly, allowing an attacker to upload an NPM package with conflicting metadata. Consequently, this can cause a range of undesirable behaviors, from package versions being overridden to dependency confusion.

Code Snippet

A simplified example of how an attacker might exploit this vulnerability to upload a malicious package:

npm login --registry https://gitlab.example.com/api/v4/packages/npm/
npm publish --registry https://gitlab.example.com/api/v4/projects/123/packages/npm/ evil-package.tgz

Here, evil-package.tgz contains malicious code, and the attacker is publishing it with a version number or metadata that conflicts with existing packages in the target repository.

Original References

- GitLab Advisory: https://about.gitlab.com/releases/2022/02/24/security-release-13-7-6/
- NIST CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2024-6595

Risk Assessment

This vulnerability poses a significant security risk to affected GitLab installations, as it can be exploited to upload malicious code to repositories. Malicious packages can wreak havoc, injecting backdoors or executing remote code to compromise user systems. Organizations relying on NPM packages from affected GitLab installations should immediately patch their systems to prevent exploitation.

For versions starting from 17.1, upgrade to 17.1.2.

You can find instructions on how to upgrade GitLab here.

2. After updating, perform an audit of your NPM packages in your GitLab repositories. Compare package metadata and verify that no conflicts or malicious packages have been introduced.

Conclusion

This post discussed the critical vulnerability CVE-2024-6595 in GitLab CE/EE, which could allow an attacker to upload NPM packages with conflicting metadata. The vulnerability affects several GitLab version ranges, and it is crucial for organizations to act immediately to patch their systems and prevent potential exploitation. Follow the mitigation steps mentioned above and stay vigilant to protect your GitLab installations from security threats.

Timeline

Published on: 07/17/2024 02:15:10 UTC
Last modified on: 07/19/2024 14:52:54 UTC