CVE-2024-1539
📋 TL;DR
This vulnerability allows banned group members to access updates to issues via the GitLab API, potentially exposing sensitive information about issue discussions and changes. It affects GitLab EE installations running vulnerable versions. The impact is limited to users who have been banned from groups but retain some API access.
💻 Affected Systems
- GitLab EE
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
A banned malicious insider could monitor ongoing security discussions, project updates, or sensitive issue details they should no longer have access to, potentially enabling further attacks or information leakage.
Likely Case
Banned users accidentally or intentionally viewing issue updates they shouldn't have access to, leading to information disclosure about project activities.
If Mitigated
Minimal impact as banned users would only see issue update metadata, not full issue contents or other sensitive data.
🎯 Exploit Status
Exploitation requires valid user credentials and API access. The vulnerability is in authorization logic for banned group members.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.9.7, 16.10.5, or 16.11.2
Vendor Advisory: https://about.gitlab.com/releases/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab EE version 16.9.7, 16.10.5, or 16.11.2 depending on your current version track. 3. Restart GitLab services. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable API access for banned users
linuxManually revoke API tokens and disable API access for all banned group members
gitlab-rails console
User.find_by(username: 'username').personal_access_tokens.each(&:revoke!)
🧯 If You Can't Patch
- Audit and revoke all API tokens for banned group members
- Implement network segmentation to restrict API access from unauthorized users
🔍 How to Verify
Check if Vulnerable:
Check GitLab version with: sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Verify version is 16.9.7, 16.10.5, or 16.11.2 or higher📡 Detection & Monitoring
Log Indicators:
- API requests from banned users accessing issue update endpoints
- Unusual API access patterns from previously banned accounts
Network Indicators:
- API calls to /api/v4/groups/*/issues/* endpoints from banned user accounts
SIEM Query:
source="gitlab" AND ("GET /api/v4/groups" OR "PUT /api/v4/groups") AND user_status="banned"