CVE-2024-7404
📋 TL;DR
This vulnerability in GitLab's Device OAuth flow allows an attacker to gain full API access as another user through cross-window forgery. It affects GitLab Community Edition and Enterprise Edition installations running vulnerable versions. Attackers could impersonate victims and perform actions with their permissions.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full administrative access to the GitLab instance, allowing them to steal source code, modify repositories, access sensitive data, and potentially pivot to other systems.
Likely Case
Attackers gain access to victim's repositories, CI/CD pipelines, and sensitive project data, leading to intellectual property theft and potential supply chain attacks.
If Mitigated
With proper network segmentation and access controls, impact is limited to the GitLab instance itself, though sensitive code and credentials could still be compromised.
🎯 Exploit Status
Exploitation requires the attacker to trick a victim into visiting a malicious website while authenticated to GitLab. The vulnerability is well-documented in public reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.3.7, 17.4.4, or 17.5.2
Vendor Advisory: https://about.gitlab.com/releases/2024/11/13/patch-release-gitlab-17-5-2-released/#device-oauth-flow-allows-for-cross-window-forgery
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 17.3.7, 17.4.4, or 17.5.2 depending on your current version. 3. Restart GitLab services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Device OAuth Flow
linuxTemporarily disable the vulnerable Device OAuth authentication method
gitlab-rails runner "ApplicationSetting.current.update!(device_flow_enabled: false)"
🧯 If You Can't Patch
- Implement strict network controls to limit GitLab access to trusted networks only
- Monitor for suspicious API activity and implement rate limiting on authentication endpoints
🔍 How to Verify
Check if Vulnerable:
Check GitLab version with: sudo gitlab-rake gitlab:env:info | grep 'Version:'Check Version:
sudo gitlab-rake gitlab:env:info | grep 'Version:'Verify Fix Applied:
Verify version is 17.3.7, 17.4.4, or 17.5.2 or higher, and check that Device OAuth flow is properly secured📡 Detection & Monitoring
Log Indicators:
- Unusual OAuth device flow requests
- Multiple failed authentication attempts followed by successful device flow
- API access from unexpected locations or user agents
Network Indicators:
- Unusual patterns in /oauth/device_authorization endpoint traffic
- Cross-origin requests to GitLab OAuth endpoints
SIEM Query:
source="gitlab" AND ("device_flow" OR "device_authorization") AND status="success" | stats count by user, src_ip