CVE-2018-17455 – This vulnerability allows attackers to access s... (How to Fix)

Q: What is the severity of CVE-2018-17455?

CVE-2018-17455 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to access sensitive information about GitLab groups through an insecure direct object reference in the merge request approvals feature. Attackers can obtain group names, avatars, LDAP settings, and descriptions without proper authorization. Affected systems include GitLab Enterprise Edition versions before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1.

📋 TL;DR

This vulnerability allows attackers to access sensitive information about GitLab groups through an insecure direct object reference in the merge request approvals feature. Attackers can obtain group names, avatars, LDAP settings, and descriptions without proper authorization. Affected systems include GitLab Enterprise Edition versions before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1.

💻 Affected Systems

Products:

GitLab Enterprise Edition

Versions: Before 11.1.7, 11.2.x before 11.2.4, 11.3.x before 11.3.1

Operating Systems: All platforms running GitLab

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects GitLab Enterprise Edition, not Community Edition. Requires merge request approvals feature to be enabled.

📦 What is this software?

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map organizational structure, identify LDAP configurations for potential credential attacks, and gather intelligence for social engineering or targeted attacks.

🟠

Likely Case

Unauthorized disclosure of group metadata including names, descriptions, and organizational structure, potentially exposing internal team information.

🟢

If Mitigated

Limited exposure of non-sensitive group information with proper access controls and monitoring in place.

🌐 Internet-Facing: HIGH - GitLab instances exposed to the internet are directly vulnerable to information disclosure attacks.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could still exploit this to gather organizational intelligence.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of access to the GitLab instance but doesn't require authentication to the vulnerable endpoint. The vulnerability is an IDOR (Insecure Direct Object Reference) that can be exploited through crafted requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.1.7, 11.2.4, or 11.3.1

Vendor Advisory: https://about.gitlab.com/releases/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/

Restart Required: Yes

Instructions:

1. Backup your GitLab instance. 2. Update to GitLab EE 11.1.7, 11.2.4, or 11.3.1 or later. 3. Restart GitLab services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable merge request approvals feature

all

Temporarily disable the vulnerable feature until patching can be completed

Navigate to Admin Area > Settings > General > Merge request approvals and disable the feature

Restrict access to merge request approvals endpoint

all

Implement network-level restrictions to limit access to the vulnerable endpoint

Configure firewall rules or WAF to restrict access to /api/v4/groups/*/approvals endpoint

🧯 If You Can't Patch

Implement strict network segmentation to isolate GitLab instances from untrusted networks
Enable enhanced logging and monitoring for suspicious access patterns to group information endpoints

🔍 How to Verify

Check if Vulnerable:

Check GitLab version via Admin Area or run: sudo gitlab-rake gitlab:env:info | grep 'GitLab version'

Check Version:

sudo gitlab-rake gitlab:env:info | grep 'GitLab version'

Verify Fix Applied:

Confirm version is 11.1.7, 11.2.4, 11.3.1 or later, and test that group information is no longer accessible via insecure direct object references

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to /api/v4/groups/*/approvals endpoint
Multiple failed authorization attempts followed by successful group information retrieval

Network Indicators:

Unusual HTTP requests to group approval endpoints from unexpected IP addresses
Patterns of sequential group ID enumeration

SIEM Query:

source="gitlab" AND (uri_path="/api/v4/groups/*/approvals" OR uri_path LIKE "/api/v4/groups/%/approvals") AND response_code=200

📊 Metadata

CVE ID: CVE-2018-17455

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-639

Published: April 15, 2023

Last Updated: February 6, 2025

🔗 References

https://about.gitlab.com/blog/categories/releases/ Release Notes
https://about.gitlab.com/releases/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ Release Notes,Vendor Advisory
https://about.gitlab.com/blog/categories/releases/ Release Notes
https://about.gitlab.com/releases/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-17455, you might also want to check these: