Attention, GitLab users! A severe information disclosure vulnerability (CVE-2024-7057) has been identified that affects all GitLab CE/EE (community edition and enterprise edition) versions. To be specific, the issue impacts versions starting from 16.7 and prior to 17..5, from 17.1 and prior to 17.1.3, and from 17.2 and prior to 17.2.1. The vulnerability can lead to unauthorized users gaining access to job artifacts that they should not be able to view, which poses a significant risk to your organization's data and processes.

In this long-read post, we will discuss the details of this vulnerability, how it works, and how to address it. We will also provide code snippets and additional resources, including original references for further investigation.

Exploit Details

The core issue in CVE-2024-7057 lies in GitLab's job artifact handling. In some cases, GitLab does not properly verify the authorization level of users, allowing them to access (and potentially modify) artifacts associated with jobs they should not have access to. This could have serious implications for organizations relying on GitLab to manage private and sensitive data, as it could lead to data leakage or unauthorized modifications made to job artifacts. Moreover, this vulnerability can potentially be exploited by attackers, aiming to gain unauthorized access to your organization's critical systems.

The vulnerability can arise in a specific scenario where a user has access to a particular namespace and project but lacks appropriate authorization for a specific job within that project – the user can still access the job's artifacts. Here's a code snippet that demonstrates this exploit.

# --- Example of a vulnerable code snippet (prior to the fixed versions) ---
def check_project_access(user, project, level)
  access_granted = user && user.can?(:read_project, project)
  return false unless access_granted

  !!UserProjectAccessLevel.get_permission(user, project) >= level
end

def download_artifact(project, artifact)
  return false unless check_project_access(current_user, project, :developer)

  # ... proceed to download the artifact ...
end

As the code indicates, the check_project_access function determines if a user has read access to the project. However, it does not take into account whether the user has the required authorization level (e.g., developer) to access the job artifacts. As a result, unauthorized users can exploit this vulnerability by attempting to download artifacts they are not permitted to access.

Official announcements and references regarding CVE-2024-7057 can be found at

- Original CVE entry on NIST's National Vulnerability Database
- GitLab's Official Blog Announcement

Mitigation and Recommendations

GitLab has released security updates to address CVE-2024-7057. To protect your organization from potential exploitation of this vulnerability, it is essential to update your GitLab CE/EE installations to the following patched versions:

17.2 users: Update to 17.2.1 or later

Moreover, verify that your organization's access control policies are maintained and followed throughout your infrastructure. Keep a close eye on user authentication and authorization mechanisms to ensure that only valid users with appropriate permissions access your organization's data.

By taking these steps and staying informed about any other potential vulnerabilities, you can help safeguard your organization's data, resources, and overall security posture from potential threats and unauthorized access.

Conclusion

CVE-2024-7057 is a crucial information disclosure vulnerability that puts many GitLab CE/EE users at risk. It can enable unauthorized users or attackers to potentially gain access to your organization's sensitive job artifacts, thus posing a risk to your organization's data and processes. To reduce your vulnerability to this issue, it is vital to update your GitLab CE/EE installations to the patched versions and ensure that the proper access control policies are in place.

Timeline

Published on: 07/25/2024 01:15:10 UTC
Last modified on: 07/26/2024 15:55:10 UTC