CVE-2024-5318
📋 TL;DR
This vulnerability allows Guest users in GitLab to view dependency lists of private projects through job artifacts, potentially exposing sensitive project information. It affects GitLab Community Edition (CE) and Enterprise Edition (EE) installations with specific version ranges. Organizations using affected GitLab versions with private projects containing sensitive dependencies are at risk.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Guest users could discover proprietary libraries, internal tooling, or security-sensitive dependencies used in private projects, potentially aiding attackers in crafting targeted attacks or intellectual property theft.
Likely Case
Unauthorized exposure of project dependency information that could reveal technology stack details, internal development practices, or security tooling used in private repositories.
If Mitigated
Limited information disclosure with minimal operational impact if dependency lists contain only public/open-source libraries without sensitive metadata.
🎯 Exploit Status
Exploitation requires Guest user credentials and access to job artifacts. The vulnerability is documented in public bug reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.10.6, 16.11.3, or 17.0.1
Vendor Advisory: https://gitlab.com/gitlab-org/gitlab/-/issues/427526
Restart Required: Yes
Instructions:
1. Identify your GitLab version. 2. Upgrade to the patched version: 16.10.6 for 16.10.x, 16.11.3 for 16.11.x, or 17.0.1 for 17.0.x. 3. Restart GitLab services. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Restrict Guest Access to Job Artifacts
allModify project permissions to prevent Guest users from accessing job artifacts containing dependency lists.
Navigate to Project Settings > General > Permissions and adjust Guest permissions
Disable Dependency Scanning Jobs
allTemporarily disable CI/CD jobs that generate dependency lists in job artifacts for private projects.
Edit .gitlab-ci.yml to comment out or remove dependency scanning jobs
🧯 If You Can't Patch
- Review and restrict Guest user permissions across all private projects
- Audit and clean job artifacts containing sensitive dependency information from private projects
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via Admin Area or command line. If version is between 11.11-16.10.5, 16.11-16.11.2, or 17.0-17.0.0, the system is vulnerable.Check Version:
sudo gitlab-rake gitlab:env:info | grep 'Version:'Verify Fix Applied:
Confirm GitLab version is 16.10.6, 16.11.3, or 17.0.1 or higher. Test that Guest users cannot access dependency lists in private project job artifacts.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to job artifacts by Guest users
- Failed permission checks for dependency list access
Network Indicators:
- HTTP requests to job artifact endpoints from Guest user accounts
SIEM Query:
source="gitlab" AND (user_role="Guest" AND uri_path="/api/v4/projects/*/jobs/*/artifacts")