CVE-2024-7554 - GitLab CE/EE: Security vulnerability with leaked access tokens affecting multiple versions

A critical security vulnerability, identified as CVE-2024-7554, has been recently uncovered in GitLab CE/EE (Community Edition and Enterprise Edition). The problem impacted all versions of GitLab CE/EE starting from 13.9 before 17..6, all versions starting from 17.1 before 17.1.4, and all versions starting from 17.2 before 17.2.2. Due to this issue, under specific circumstances, access tokens may have been logged when an API request was made in a specific manner. The vulnerability poses a significant risk to the affected organizations, as it exposes sensitive tokens to unauthorized users, potentially leading to unauthorized access to their accounts and sensitive data.

Code Snippet

The problem occurs when the API request is made using certain conditions, leading to the access token being logged. Here's a code snippet to help illustrate the issue:

// Example API request where the access token is logged
https://gitlab.example.com/api/v4/projects?access_token=abcdefgh12345678

In this example, the API request includes the access_token parameter within the URL. Due to the security vulnerability, the access token may end up being logged.

Exploit Details

An attacker can potentially exploit this vulnerability by gaining unauthorized access to GitLab user accounts and projects through the leaked access tokens. This may lead to data compromise, unauthorized modifications, or even account takeover.

The vulnerability occurs when a user makes an API request using a specific manner, which includes placing the access token as a query parameter in the URL rather than including it in the header or the request body. As a result, the token gets exposed in the logs, making it accessible to unauthorized users.

Original References

GitLab acknowledged this issue and released security patches to address the vulnerability. For more information, you can refer to the official announcements and mitigation guidelines provided by GitLab:

1. GitLab Security Advisory
2. GitLab Security Release: 17..6, 17.1.4, and 17.2.2
3. CVE-2024-7554: GitLab Access Tokens Logged

How to Mitigate

To mitigate this issue, it is highly recommended to update your GitLab installation to the latest secure version immediately:

- GitLab CE/EE 17. users, please update to version 17..6
- GitLab CE/EE 17.1 users, please update to version 17.1.4
- GitLab CE/EE 17.2 users, please update to version 17.2.2

Additionally, it is advisable to review the logs to identify instances where the access tokens were logged and take necessary actions, such as rotating the affected tokens and ensuring that no unauthorized access has occurred.

Conclusion

CVE-2024-7554 is a critical security vulnerability that affects multiple versions of GitLab CE/EE. It is crucial for organizations and developers to promptly apply the necessary security patches and follow the mitigation guidelines to protect their accounts and data from unauthorized access. Regularly updating your applications and adhering to security best practices can go a long way in preventing similar issues in the future.

Timeline

Published on: 08/08/2024 11:15:13 UTC
Last modified on: 08/08/2024 13:04:18 UTC