www.belgium.be Logo of the federal government

WARNING: HIGH-SEVERITY VULNERABILITY IN GITLAB

Reference: 
Advisory #2024-39
Version: 
1.0
Affected software: 
Gitlab
Type: 
Improper Access Control, Incorrect Authorization
CVE/CVSS: 
CVE-2024-0199: CVSS 7.7 HIGH (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N)
CVE-2024-1299: CVSS 6.5 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)

Sources

Risks

Gitlab fixed 2 vulnerabilities on 06/03/2024, including a high-severity vulnerabilities that could allow attackers to bypass authorisation. An attacker could utilise a crafted payload in an old feature branch to perform malicious actions.
 
Gitlab instances contains code repositories. When a code repository is hacked, it can compromise the integrity and security of the software it hosts, potentially leading to unauthorized access, data breaches, and widespread distribution of malicious code.
 
The Centre for Cyber security Belgium recommends system administrators patch vulnerable systems as soon as possible. Analyse system and network logs for any suspicious activity. This report has instructions to help your organisation.
 
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

Description

Gitlab fixed 2 vulnerabilities on 06/03/2024, including a high-severity vulnerabilities that could allow attackers to bypass authorisation:
 
CVE-2024-0199: Authorization bypass vulnerability. Bypassing CODEOWNERS approval allowing to steal protected variables. An attacker could bypass CODEOWNERS by utilising a crafted payload in an old feature branch to perform malicious actions.
 
CVE-2024-1299: Privilege escalation vulnerability. Guest with manage group access tokens can rotate and see group access token with owner permissions. It was possible for a user with custom role of manage_group_access_tokens to rotate group access tokens with owner privileges.
 
Gitlab has released software patches that address these vulnerabilities.

Recommended Actions

Patch
The Centre for Cyber Security Belgium strongly recommends installing updates for vulnerable software with the highest priority, after thorough testing.
The latest version of the involved product can be found on their website: https://about.gitlab.com/releases/2024/03/06/security-release-gitlab-16-...
 
Monitor/Detect
The CCB recommends organisations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://about.gitlab.com/releases/2024/03/06/security-release-gitlab-16-...