CVE-2024-4024
📋 TL;DR
This vulnerability allows an attacker with Bitbucket credentials to hijack GitLab accounts linked to other users' Bitbucket accounts when Bitbucket is configured as an OAuth 2.0 provider. It affects GitLab Community Edition and Enterprise Edition installations using Bitbucket OAuth integration. The attacker must have valid Bitbucket account credentials to exploit this issue.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
An attacker could gain unauthorized access to any GitLab account linked to a Bitbucket account, potentially compromising source code, CI/CD pipelines, and sensitive project data.
Likely Case
Targeted account takeover of specific GitLab users whose Bitbucket accounts are known to the attacker, leading to unauthorized access to repositories and project settings.
If Mitigated
With proper access controls and monitoring, impact is limited to temporary unauthorized access that can be detected and remediated through account recovery procedures.
🎯 Exploit Status
Attacker needs valid Bitbucket credentials and knowledge of target's Bitbucket account. Requires Bitbucket OAuth configuration in GitLab.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.9.6, 16.10.4, or 16.11.1
Vendor Advisory: https://gitlab.com/gitlab-org/gitlab/-/issues/452426
Restart Required: Yes
Instructions:
1. Backup GitLab instance. 2. Update to GitLab 16.9.6, 16.10.4, or 16.11.1 using your preferred update method. 3. Restart GitLab services. 4. Verify update completed successfully.
🔧 Temporary Workarounds
Disable Bitbucket OAuth Integration
linuxTemporarily disable Bitbucket as an OAuth provider until patching is complete
Edit GitLab configuration file (gitlab.rb) and set: gitlab_rails['omniauth_providers'] = [] or remove Bitbucket from the providers list
Reconfigure GitLab: sudo gitlab-ctl reconfigure
🧯 If You Can't Patch
- Disable Bitbucket OAuth integration completely
- Implement strict monitoring for unusual account activity and OAuth login attempts
🔍 How to Verify
Check if Vulnerable:
Check GitLab version and Bitbucket OAuth configuration. If version is in affected range and Bitbucket OAuth is enabled, instance is vulnerable.Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Verify GitLab version is 16.9.6, 16.10.4, or 16.11.1 or higher using: sudo gitlab-rake gitlab:env:info📡 Detection & Monitoring
Log Indicators:
- Unusual OAuth authentication patterns from Bitbucket
- Account login from unexpected locations/times
- Multiple failed OAuth attempts followed by successful login
Network Indicators:
- Unusual traffic patterns to /users/auth/bitbucket endpoint
- Increased OAuth callback requests
SIEM Query:
source="gitlab" ("omniauth" OR "bitbucket") AND ("failed" OR "success")