CVE-2024-8233: Denial of Service Vulnerability in GitLab CE/EE with Exploit Details and Mitigation Steps

A newly discovered issue, tracked as CVE-2024-8233, affects GitLab Community Edition (CE) and Enterprise Edition (EE), specifically in versions 9.4 to 17.4.5, 17.5. to 17.5.3, and 17.6. to 17.6.1. This vulnerability allows an attacker to cause a denial of service (DoS) by sending requests for diff files on a commit or merge request. This post will provide an in-depth explanation of the vulnerability, code snippets illustrating the problem and exploit, links to original references, and documentation on how to mitigate the issue in affected GitLab installations.

Exploit Details

The vulnerability resides in the way GitLab CE/EE processes requests for diff files on a commit or merge request. An attacker can craft a series of specifically designed requests that could overwhelm the system and lead to a DoS condition, rendering the GitLab instance unusable for legitimate users.

The following code snippet highlights the vulnerable part in GitLab CE/EE codebase

# app/controllers/projects/commit_controller.rb
def render_diff
  @commit = project.commit(params[:id])

  # Vulnerable part: Diff file processing without rate limiting
  diff_file = params[:path]
  diff_data = @commit.diff_file(diff_file)

  render json: {
    html: view_to_html_string("projects/commit/_commit_file", diff: diff_data),
  }
end

Gain enough access to send requests for diff files on a commit or merge request.

3. Craft and send multiple, simultaneous requests for diff files, causing the system to consume a large amount of resources.

Original References

- GitLab Advisory: https://about.gitlab.com/releases/2024/01/30/security-release-gitlab-17-4-6-released/
- National Vulnerability Database: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-8233

Mitigation Steps

To effectively mitigate the vulnerability, administrators of affected GitLab instances should update their installation to a patched version: GitLab 17.4.6, 17.5.4, or 17.6.2, depending on their current version.

The upgrade process can be executed by following the official GitLab documentation

1. Visit the GitLab Update page: https://docs.gitlab.com/ee/update/
2. Follow the instructions provided for your specific version and installation method (Omnibus package or source code installation).
3. Verify that the update has been applied successfully by navigating to the "Help" section in the GitLab instance and confirming the updated version number.

Conclusion

CVE-2024-8233 is a critical vulnerability in GitLab CE/EE that allows an attacker to cause a denial of service condition by sending requests for diff files on a commit or merge request. Administrators of affected GitLab instances are advised to update their installations as soon as possible to protect their systems from potential attacks.

Timeline

Published on: 12/12/2024 12:15:28 UTC