CVE-2024-7296 - GitLab EE Security Patch to Address User Onboarding Exploit and Ensure Maximum Member Limit Control

The Common Vulnerabilities and Exposures (CVE) system identified a security issue in GitLab Enterprise Edition (EE), assigned to the identifier CVE-2024-7296. This compromise affects all GitLab EE versions from 16.5 up to, but not including, 17.7.7, 17.8 up to, but not including, 17.8.5, and 17.9 up to, but not including, 17.9.2. In this article, you'll find information about the problem, its root cause, how it could be exploited, and steps to fix it.

Background

The security gap in GitLab EE is related to the way project membership requests are handled. A user with a custom permission could approve pending membership requests beyond the maximum number of allowed users for that project. This can lead to unintended consequences like uncontrolled onboarding of project members and unexpected system bills.

Exploit Details

The vulnerability takes advantage of a user with custom permissions approving membership requests without regard for the maximum number of users limit set by the project administrator. The code snippet below demonstrates this oversight in GitLab's membership request handling:

class ApproveMembershipService
  def execute(request)
    if can?(current_user, :manage_access, request.source)
      approved_user = request.user
      request.source.add_users([approved_user.user], request.access_level)
      request.destroy
      approved_user
    else
      nil
    end
  end
end

The method can? checks if the current_user has the permission to manage access. However, it fails to verify if the project already reached the maximum number of users allowed.

For more information, consult the following original references

1. Official GitLab security patch announcement where they reported the vulnerability and provided patches for affected versions.
2. Details on GitLab's issue tracking system - where the vulnerability was first reported with a detailed explanation, and a proposed solution was discussed.

Mitigation and Patching

To resolve the issue, ensure that your GitLab EE version is up-to-date. Upgrade to any of the following versions, depending on your current release:

In the case of GitLab EE 17.9, update to 17.9.2 or later

You can consult the official upgrade guide provided by GitLab for more detailed instructions on updating your GitLab installation.

By applying the recommended patches, you'll address the security gap described in this article, ensuring that unauthorized personnel cannot approve pending membership requests beyond the maximum number of allowed users for a project.

Stay informed about similar vulnerabilities by subscribing to GitLab's security blog and adhering to best practices for securing your GitLab instance.

Timeline

Published on: 03/13/2025 06:15:35 UTC