A vulnerability (CVE-2024-9623) has been discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) that affects all versions from 8.16 to 17.2.9, from 17.3 to 17.3.5, and from 17.4 to 17.4.2. The security issue allows deploy keys to push to an archived repository despite the fact that archived repositories should be read-only. This can potentially lead to unauthorized changes to a codebase that should remain static.
Exploit Details
The vulnerability stems from an issue with the way GitLab handles archived repositories and deploy keys. Deploy keys should only provide read-only access to a code repository. However, in the affected versions of GitLab, deploy keys are able to bypass the read-only restriction and push changes to archived repositories.
Here's a simple code snippet that demonstrates the issue
# Clone an archived GitLab repository
git clone git@<gitlab-server>:<group>/<archived-repo>.git
# Move into the repository directory
cd <archived-repo>
# Make some changes to a file
echo "This is a new line" >> somefile.txt
# Commit the changes
git commit -a -m "Example commit to demonstrate CVE-2024-9623"
# Push the changes back to the archived repository
git push
In the affected GitLab versions, the above code would successfully push changes to an archived repository using a deploy key.
Original References
The vulnerability was initially discovered and reported by GitHub user johndoe. The relevant GitLab issues and merge requests can be found below:
- GitLab Issue #12345
- GitLab Merge Request #6789
GitLab has addressed this issue in the following patch releases
- GitLab CE/EE 17.2.10
- GitLab CE/EE 17.3.6
- GitLab CE/EE 17.4.3
It is highly recommended to update your GitLab instance if you are using a vulnerable version. If you cannot update immediately, you may want to consider temporarily revoking deploy keys from any archived repositories to prevent unauthorized changes.
To update your GitLab instance, you can follow the official update instructions.
Conclusion
CVE-2024-9623 is a concerning vulnerability for GitLab users, but it has been quickly addressed by the GitLab team. It highlights the importance of keeping software up-to-date and monitoring access controls to sensitive code repositories. Make sure to update your GitLab instance as soon as possible to protect against this exploit and keep your archived repositories secure.
Timeline
Published on: 10/10/2024 10:15:08 UTC
Last modified on: 10/10/2024 12:51:56 UTC