Urgent GitLab Update Patches Account Takeover Flaw, Other High-Severity Bugs

CVE-2024-4024

GitLab’s recent security release addresses a series of vulnerabilities that could have far-reaching consequences for your code repositories and development workflows. These flaws range from the potential for complete account hijacking to resource-draining denial-of-service attacks. If your organization uses GitLab, upgrading to versions 16.11.1, 16.10.4, or 16.9.6 is mandatory.

CVE-2024-4024

Key Vulnerabilities Patched:

  • CVE-2024-4024: Account Takeover Through Bitbucket OAuth (CVSS 7.3)

    • Under specific circumstances, an attacker with stolen Bitbucket credentials could potentially take over a GitLab account linked to another user’s Bitbucket account.
    • If your instance uses Bitbucket as an OAuth provider, users need to re-link their accounts before May 16th to maintain access.
  • CVE-2024-2434: Path Traversal Opens Door to Attacks (CVSS 8.5)

    • Attackers could exploit path traversal to cause denial-of-service (DoS) attacks or read restricted files on affected systems.
  • CVE-2024-2829: Wildcards Cause Denial of Service (CVSS 7.5)

    • Maliciously crafted wildcard filters in GitLab’s FileFinder search could lead to resource exhaustion, causing a DoS condition.
  • CVE-2024-4006: Access Tokens Overreach (CVSS 4.3)

    • Personal Access Token (PAT) scopes were not properly enforced in GraphQL subscriptions, potentially allowing unauthorized actions.
  • CVE-2024-1347: Email Tricks Bypass Security (CVSS 4.3)

    • Domain-based restrictions on GitLab instances or groups could be circumvented using specially formatted email addresses.

Why This Matters

These vulnerabilities range from medium to high severity but all carry significant risk. The Bitbucket OAuth flaw, in particular, highlights the dangers of account linking. Attackers often target interconnected services to expand their attack surface.

What to Do

  1. Upgrade Immediately: Apply the appropriate patch for your GitLab CE or EE deployment. GitLab.com has already been patched.

  2. Re-Link Bitbucket Accounts: If you use Bitbucket OAuth with GitLab, ensure users reauthenticate with their Bitbucket accounts before May 16th to avoid access disruptions.

  3. Stay Vigilant: Security is an ongoing process. Subscribe to GitLab security advisories and maintain proactive patching practices across your development infrastructure.

The Evolving Threat to DevOps Tools

This GitLab advisory underscores the growing focus of attackers on DevOps platforms. As essential tools for code collaboration and deployment, they have access to sensitive data and can provide gateways to wider production environments. Protecting your DevOps pipeline is critical for safeguarding your software and business.