CVE-2024-8650 - GitLab Merge Request Vulnerability: Unresolved Threads of Internal Notes in Public Projects Exposed to Non-Member Users

A software vulnerability (CVE-2024-8650) was recently discovered in GitLab, a popular web-based DevOps platform that enables software development teams to collaborate on projects. This vulnerability affects GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) across several versions.

Technical Details of the Vulnerability

The vulnerability, identified by its tracking number CVE-2024-8650, allows non-member users to view unresolved threads marked as internal notes in public projects merge requests. In other words, confidential discussion threads that are supposed to be visible only to project team members become exposed to anyone with access to the public project.

Here is a code snippet that demonstrates this vulnerability

def accessible?(user)
  return project.public? &&
           noteable &&
           noteable.discussion_unlocked?(user) &&
           self.public?
end

In the code above, the accessible? function should restrict the visibility of internal discussion threads to authorized users, i.e., users who have membership in the project. However, the function incorrectly allows access to public projects without checking a user's membership status.

How to Fix Affected GitLab Instances

To protect your GitLab instances from this vulnerability, you need to upgrade to a version that includes the security patch for this issue. Here are the recommended versions to upgrade to:

For GitLab versions from 17.6 to 17.6.2, upgrade to version 17.6.3 or later.

After upgrading, verify that the vulnerability has been resolved by ensuring that non-member users cannot view unresolved threads marked as internal notes in public projects merge requests.

Links to Original References

For further information about CVE-2024-8650 and its impact on GitLab, refer to the following original references:

- GitLab Security Release: https://about.gitlab.com/releases/2022/01/17/security-release-gitlab-14-8-4-released/
- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8650
- NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-8650

Conclusion

CVE-2024-8650 is a significant vulnerability that has the potential to expose sensitive internal discussions to unauthorized users. It is essential for GitLab administrators to upgrade their instances to protect their projects from possible exploitation. Keep your software up-to-date and monitor security advisories to ensure the safety and integrity of your code and projects.

Timeline

Published on: 12/16/2024 05:15:05 UTC