CVE-2024-8641
📋 TL;DR
This vulnerability allows an attacker who obtains a victim's CI_JOB_TOKEN to potentially steal the victim's GitLab session token. This affects GitLab Community Edition (CE) and Enterprise Edition (EE) installations running vulnerable versions. Attackers could impersonate users and perform unauthorized actions.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full session access to a victim's GitLab account, potentially compromising repositories, pipelines, secrets, and performing administrative actions depending on victim's permissions.
Likely Case
Attackers with access to CI_JOB_TOKENs can hijack user sessions to access projects, modify code, or exfiltrate sensitive data from repositories the victim can access.
If Mitigated
With proper token management and monitoring, impact is limited to temporary session hijacking that can be detected and revoked.
🎯 Exploit Status
Requires access to CI_JOB_TOKEN which is typically available to attackers with some level of access to CI/CD pipelines or through other vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.1.7, 17.2.5, or 17.3.2
Vendor Advisory: https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 17.1.7, 17.2.5, or 17.3.2 depending on your current version. 3. Restart GitLab services. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict CI_JOB_TOKEN access
allLimit who can access CI_JOB_TOKENs and monitor for unauthorized token usage.
Rotate CI_JOB_TOKENs
linuxForce rotation of all CI_JOB_TOKENs to invalidate potentially compromised tokens.
gitlab-rake gitlab:ci_job_token:rotate
🧯 If You Can't Patch
- Implement strict network segmentation to isolate GitLab instances from untrusted networks.
- Enable enhanced logging and monitoring for suspicious session activities and token usage.
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via admin interface or command line. If version is between 13.7-17.1.6, 17.2-17.2.4, or 17.3-17.3.1, the system is vulnerable.Check Version:
sudo gitlab-rake gitlab:env:info | grep 'Version:'Verify Fix Applied:
Confirm GitLab version is 17.1.7, 17.2.5, or 17.3.2 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual session creation patterns
- Multiple session tokens from same CI_JOB_TOKEN
- Access from unexpected locations
Network Indicators:
- Unusual API calls using session tokens
- Traffic patterns suggesting token harvesting
SIEM Query:
source="gitlab" AND (event="session_created" OR event="token_usage") AND user_agent="CI_JOB_TOKEN"