CVE-2024-8974: Information Disclosure Vulnerability in GitLab EE/CE - Private Project Path Exposure

The CVE-2024-8974 vulnerability refers to an information disclosure issue affecting all GitLab Enterprise Edition (EE) and Community Edition (CE) versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1. In specific conditions, this vulnerability allows unauthorized users to access the path of a private project.

In this long-read post, we will cover the details of this vulnerability, including code snippets, links to the original references, and exploit details. We will also discuss the potential risks involved and what users can do to protect their GitLab instances from this vulnerability.

17.4 to 17.4.

The primary cause of this vulnerability lies in the improper access control implemented for private projects in the affected GitLab versions. Owing to this issue, an unauthorized user may be able to view the project's path in specific circumstances.

The vulnerability manifests itself when an unauthorized user interacts with issues/milestones assigned to a private project. An affected project's path is disclosed in the response provided to the unauthorized user in these cases.

Code Snippet

The following code snippet demonstrates an example of the vulnerable implementation leading to the information disclosure issue:

def build_issues_params
  params = dashboard_filter_params

  params[:project_id] = current_user.authorized_project_ids if project_ids.nil?
  params
end

Here, the authorized_project_ids method call retrieves the project IDs that a user has access to. However, it does not perform proper access control checks on these project IDs, resulting in the exposure of the private project path to unauthorized users.

Exploit Details

An attacker can exploit this vulnerability by making a specially crafted request to the affected GitLab instance. The exploit uses the project ID of a private project and an issue or milestone linked to that project.

Here is an example of an exploit using the authorized_project_ids list

GET /api/v4/authorized_project_ids/users/:id
Authorization: Bearer <private_token>

Upon successful exploitation, the attacker receives a response containing the project's path, which was supposed to be private.

Official GitLab Security Advisory

https://about.gitlab.com/releases/2022/01/15/critical-security-release-gitlab-14281/

CVE-2024-8974 details

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8974

Mitigations

To protect your GitLab instance from this vulnerability, you should apply the appropriate patches provided by GitLab as soon as possible. The patched versions are:

17.4.1 or later

You can also restrict access to the API by configuring your GitLab instance's firewall settings to allow only specific IP addresses or user agents.

Conclusion

CVE-2024-8974 is a critical information disclosure vulnerability affecting multiple GitLab EE/CE versions. It highlights the importance of proper access control and secure coding practices for web applications. By staying vigilant and applying patches when necessary, you can help protect your systems from such vulnerabilities and ensure the safety of your data.

Timeline

Published on: 09/26/2024 23:15:03 UTC
Last modified on: 09/30/2024 12:46:20 UTC