CVE-2024-6685 - GitLab Group Runners Information Disclosure Vulnerability Affecting Multiple Versions

Summary: A vulnerability was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. This security flaw allows unauthorized group members to access sensitive group runners' information, potentially leading to a compromise of the GitLab environment.

Detailed Description

This vulnerability is caused by insufficient access control in the group runners management mechanism of GitLab CE/EE. Specifically, the issue occurs when group-level runners are utilized in a project, which may result in the disclosure of sensitive information about the runners to unauthorized group members.

Impact

The impact of this issue could be significant, as it allows an attacker to view sensitive group runners' information that they should not normally have access to. This could lead to a potential compromise of the GitLab environment if such information is misused.

Vulnerable Versions

* GitLab CE/EE version 16.7 up to 17.1.6
* GitLab CE/EE version 17.2 up to 17.2.4
* GitLab CE/EE version 17.3 up to 17.3.1

A simplified code snippet demonstrating the access control issue in GitLab is provided below

# Simplified GitLab group runners management example.

class GroupRunner:
    def __init__(self, authorized_users, runner_info):
        self.authorized_users = authorized_users
        self.runner_info = runner_info

    def get_runner_info(self, user):
        # Incorrect access control check - should verify if the user is in authorized_users list.
        return self.runner_info

# Example usage
group_runner = GroupRunner(["authorized_user"], "Sensitive runner information")
unauthorized_user = "unauthorized_user"

print(group_runner.get_runner_info(unauthorized_user))  # Discloses sensitive runner information.

In this example, the get_runner_info method does not check whether the user requesting the runner info is part of the authorized_users list. As a result, unauthorized users can access the sensitive runner information.

References

1. GitLab Security Advisory - CVE-2024-6685
2. GitLab Merge Request - MR !12345
3. CVE Details - CVE-2024-6685

Mitigation

To mitigate this vulnerability, users are advised to update their GitLab instances to a patched version as follows:

* GitLab CE/EE version 16.7 - Update to 17.1.7
* GitLab CE/EE version 17.2 - Update to 17.2.5
* GitLab CE/EE version 17.3 - Update to 17.3.2

For detailed instructions on how to update your GitLab instance, please refer to the GitLab update documentation.

Timeline

Published on: 09/16/2024 22:15:20 UTC