CVE-2024-7047
📋 TL;DR
This cross-site scripting vulnerability in GitLab allows attackers to inject malicious scripts that execute in the context of authenticated users. All GitLab CE/EE instances running affected versions are vulnerable. The attack requires user interaction but can lead to session hijacking or unauthorized actions.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Attacker steals administrator session tokens, gains full control of GitLab instance, accesses source code, modifies repositories, and potentially pivots to internal systems.
Likely Case
Attacker steals user session cookies, performs unauthorized actions as the victim (commits, merges, access to private repos), or captures sensitive data.
If Mitigated
Script execution blocked by CSP headers, minimal impact with proper input validation and output encoding.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) and authenticated user context. No public exploit code available at disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.0.5, 17.1.3, 17.2.1
Vendor Advisory: https://gitlab.com/gitlab-org/gitlab/-/issues/455318
Restart Required: Yes
Instructions:
1. Backup GitLab instance. 2. Update to patched version: 17.0.5, 17.1.3, or 17.2.1. 3. For Omnibus: sudo apt-get update && sudo apt-get install gitlab-ce=version. 4. For source install: follow GitLab upgrade documentation. 5. Restart GitLab services.
🔧 Temporary Workarounds
Content Security Policy (CSP)
allImplement strict CSP headers to block inline script execution and restrict script sources.
Add to GitLab configuration: gitlab_rails['content_security_policy'] = { enabled: true, directives: {...}}
Input Validation Filter
allImplement web application firewall or reverse proxy rules to filter suspicious XSS payloads.
Configure WAF rules to block script tags and JavaScript event handlers
🧯 If You Can't Patch
- Restrict user permissions to minimum required, implement principle of least privilege
- Enable audit logging for all user actions and monitor for suspicious activities
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via Admin Area or command: sudo gitlab-rake gitlab:env:info | grep VersionCheck Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab Version'Verify Fix Applied:
Confirm version is 17.0.5, 17.1.3, or 17.2.1 or higher. Test XSS payloads in affected components.📡 Detection & Monitoring
Log Indicators:
- Unusual user agent strings
- Requests with script tags or JavaScript in parameters
- Multiple failed login attempts followed by successful login
Network Indicators:
- Outbound connections to suspicious domains from GitLab server
- Unusual traffic patterns to GitLab instance
SIEM Query:
source="gitlab" AND (http_uri="*<script*" OR http_uri="*javascript:*" OR http_user_agent="*<script*")