Latest GitLab vulnerability (CVE-2024-45409) #
GitLab has issued a critical patch release to resolve a Security Assertion Markup Language (SAML) authentication bypass vulnerability that affects self-hosted instances of both GitLab Community Edition (CE) and Enterprise Edition (EE). The vulnerability isn't specific to GitLab however. The root issue resides within two open source Ruby libraries that GitLab uses to handle SAML authentication requests.
CVE-2024-45409 is rated critical with CVSS score of 10.0, and potentially allows for an attacker to bypass SAML authentication.
What is the impact? #
According to GitLab, successful exploitation of this vulnerability allows for an unauthenticated attacker to gain access to a self-hosted GitLab instance, if configured to provide authentication using SAML.
Are updates or workarounds available? #
For customers running self-hosted instances of GitLab, patches are available for download through their website. GitLab is advising customers running self-hosted instances to "upgrade to the latest version as soon as possible". If unable to patch the systems, the security advisory also includes mitigation instructions, which consist of enabling two-factor authentication and disabling the SAML two-factor bypass settings within GitLab. For more information, refer to the Security fixes of the patch release linked above.
For customers subscribed to GitLab's SaaS product (gitlab.com), no additional action is required.
How to find potentially vulnerable systems with runZero #
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
product:gitlab
September 11, 2024 (CVE-2024-6678) #
On September 11, GitLab has issued a patch release for seventeen vulnerabilities that affect both GitLab Community Edition (CE) and Enterprise Edition (EE).
CVE-2024-6678 is rated critical with CVSS score of 9.9, and potentially allows for unauthorized resource access by an attacker.
In addition to the critical CVE, three high-severity vulnerabilities were also disclosed in the patch release.
CVE-2024-8640 is rated high with CVSS score of 8.5, which can lead to the remote execution of arbitrary code.
CVE-2024-8635 is rated high with CVSS score of 7.7, which can result in unauthorized access to resources.
CVE-2024-8124 is rated high with CVSS score of 7.5, which can result in a Denial of Service.
What is the impact? #
According to GitLab, successful exploitation of this vulnerability allows for an attacker to "trigger a pipeline as an arbitrary user under certain circumstances".
Are updates or workarounds available? #
For customers running self-hosted instances of GitLab, patches are available for download through their website. For customers already subscribed to GitLab's SaaS product (gitlab.com), no additional action is required.
How to find potentially vulnerable systems with runZero #
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
product:gitlab
February 2022 (CVE-2022-0735) #
The development team at GitLab issued a new critical security release that patches seven recently-disclosed vulnerabilities in GitLab software. Reported by customers, security researchers, and GitLab team members, these vulnerabilities are located in various components of the software and affect both GitLab Community and Enterprise editions:
- CVE-2022-0735 (CVSS "critical" score of 9.6) - Unauthorized users can steal runner registration tokens via quick actions commands
- CVE-2022-0549 (CVSS "medium" score of 6.5) - Unprivileged users can add other users to groups via the API
- CVE-2022-0751 (CVSS "medium" score of 6.5) - snippet content can be manipulated to display inaccurate/misleading data from an unauthorized user
- CVE-2022-0741 (CVSS "medium" score of 5.8) - Environment variables can be leaked via sendmail
- CVE-2021-4191 (CVSS "medium" score of 5.3) - User enumeration of private GitLab instances (with restricted sign-ups) can be possible by unauthenticated users via the GraphQL API
- CVE-2022-0738 (CVSS "medium" score of 4.2) - User passwords can be leaked when adding pull mirrors with SSH credentials
- CVE-2022-0489 (CVSS "low" score of 3.5) - A denial-of-service condition can be trigger by using the math feature with a specific formula in issue comments
Is an update available? #
To avoid possible exploitation of the above vulnerabilities, GitLab recommends all admins update to GitLab versions 14.8.2, 14.7.4, and 14.6.5 for Community Edition (CE) and Enterprise Edition (EE) installations. If upgrading instances isn't viable in the near-term, GitLab does provide a hotpatch for the runner token disclosure vulnerability–the most severe vulnerability of the bunch–for a number of GitLab versions, suitable as a temporary mitigation until a full update can be performed.
How do I find potentially vulnerable GitLab instances with runZero? #
From the Asset Inventory, use the following pre-built query to locate GitLab assets within your network that are potentially vulnerable:
product:gitlab
As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.