CVE-2024-4612
📋 TL;DR
This CVE describes an open redirect vulnerability in GitLab EE that could allow attackers to hijack OAuth flows and potentially take over user accounts. The vulnerability affects GitLab EE versions 12.9 through 17.3.1 under specific conditions. Attackers could redirect users to malicious sites during authentication, compromising account security.
💻 Affected Systems
- GitLab EE
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Successful account takeover of GitLab users, potentially including administrators, leading to data theft, code repository compromise, and lateral movement within the organization.
Likely Case
Targeted phishing attacks against GitLab users, credential theft, and potential access to sensitive repositories and CI/CD pipelines.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and user awareness training about phishing risks.
🎯 Exploit Status
Exploitation requires user interaction (clicking a malicious link) and specific conditions during OAuth authentication flow.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.1.7, 17.2.5, or 17.3.2
Vendor Advisory: https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab EE version 17.1.7, 17.2.5, or 17.3.2 depending on your current version. 3. Restart GitLab services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable OAuth integrations
allTemporarily disable OAuth provider integrations to prevent exploitation of the vulnerability.
Edit GitLab configuration to remove OAuth providers
Network segmentation
allRestrict access to GitLab instance to trusted networks only.
Configure firewall rules to limit GitLab access
🧯 If You Can't Patch
- Implement strict network access controls to limit GitLab exposure
- Enable multi-factor authentication for all GitLab users
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via admin interface or command line. If version is between 12.9-17.1.6, 17.2-17.2.4, or 17.3-17.3.1, you are vulnerable.Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab Version'Verify Fix Applied:
Verify GitLab version is 17.1.7, 17.2.5, or 17.3.2 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual OAuth redirect patterns
- Failed authentication attempts with suspicious redirect URLs
- Multiple authentication requests from single IP
Network Indicators:
- HTTP 302 redirects to unexpected domains during OAuth flow
- Traffic patterns showing authentication flow interruptions
SIEM Query:
source="gitlab" AND (event="oauth_redirect" OR event="authentication_failure") AND url CONTAINS "redirect_uri="