CVE-2024-12244
📋 TL;DR
This CVE describes an access control vulnerability in GitLab Enterprise Edition where users can view restricted project information even when related features are disabled. It affects GitLab EE versions 17.7 to 17.9.6, 17.10 to 17.10.4, and 17.11 to 17.11.0. The vulnerability allows unauthorized information disclosure to authenticated users.
💻 Affected Systems
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Sensitive project information, potentially including confidential data, intellectual property, or internal communications, could be exposed to unauthorized users within the organization.
Likely Case
Users with limited permissions can access project details, metadata, or configuration information that should be restricted based on feature flags or project settings.
If Mitigated
With proper access controls and feature flag management, exposure would be limited to non-sensitive information or prevented entirely.
🎯 Exploit Status
Exploitation requires authenticated access to GitLab. The vulnerability is in access control logic when features are disabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.9.7, 17.10.5, 17.11.1
Vendor Advisory: https://gitlab.com/gitlab-org/gitlab/-/issues/508046
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab EE 17.9.7, 17.10.5, or 17.11.1 depending on your current version. 3. Restart GitLab services. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable affected features globally
allTemporarily disable the specific project features that are bypassing access controls until patching can be completed.
# Requires GitLab admin access to feature flags
# Check GitLab documentation for specific feature flag controls
🧯 If You Can't Patch
- Review and tighten user permissions and access controls for all projects
- Implement additional monitoring for unusual access patterns to project information
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via admin interface or command: sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Confirm version is 17.9.7, 17.10.5, or 17.11.1 or higher. Test that restricted project information is no longer accessible when features are disabled.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to project information endpoints
- Users accessing project data when related features are disabled in logs
Network Indicators:
- Increased requests to project API endpoints from users without appropriate permissions
SIEM Query:
source="gitlab" AND (event="project_access" OR event="feature_access") AND status="success" AND user_permission="limited"