CVE-2024-4472
📋 TL;DR
This vulnerability exposes dependency proxy credentials in GraphQL logs in GitLab instances. Attackers with access to these logs could obtain credentials to access private dependency repositories. All GitLab CE/EE instances running affected versions are impacted.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain dependency proxy credentials, access private dependency repositories, potentially injecting malicious packages or exfiltrating proprietary code.
Likely Case
Internal users or attackers with log access discover credentials, leading to unauthorized access to dependency repositories and potential supply chain compromise.
If Mitigated
With proper log access controls and monitoring, credential exposure is detected quickly and credentials are rotated before exploitation.
🎯 Exploit Status
Exploitation requires access to GraphQL logs, which typically requires some level of system access or another vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.1.7, 17.2.5, 17.3.2
Vendor Advisory: https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/
Restart Required: Yes
Instructions:
1. Backup GitLab instance. 2. Update to patched version (17.1.7, 17.2.5, or 17.3.2). 3. Restart GitLab services. 4. Verify logs no longer contain credentials.
🔧 Temporary Workarounds
Restrict Log Access
linuxLimit access to GitLab logs to only authorized administrators.
chmod 600 /var/log/gitlab/gitlab-rails/production.log
chown git:git /var/log/gitlab/gitlab-rails/production.log
Disable Dependency Proxy
allTemporarily disable dependency proxy feature if not required.
gitlab_rails['dependency_proxy_enabled'] = false
🧯 If You Can't Patch
- Rotate all dependency proxy credentials immediately
- Implement strict access controls on GitLab log files and monitor for unauthorized access
🔍 How to Verify
Check if Vulnerable:
Check GitLab version with: sudo gitlab-rake gitlab:env:info | grep 'Version:'Check Version:
sudo gitlab-rake gitlab:env:info | grep 'Version:'Verify Fix Applied:
After patching, verify version is 17.1.7, 17.2.5, or 17.3.2+ and check logs for credential patterns.📡 Detection & Monitoring
Log Indicators:
- GraphQL logs containing dependency proxy credential patterns
- Unauthorized access attempts to dependency repositories
Network Indicators:
- Unusual traffic to dependency proxy endpoints from unexpected sources
SIEM Query:
source="/var/log/gitlab/gitlab-rails/production.log" AND "dependency_proxy" AND ("password" OR "token" OR "credential")