CVE-2024-8650
📋 TL;DR
This vulnerability allows non-member users to view internal notes in public GitLab merge requests. It affects GitLab CE/EE instances where public projects have merge requests with internal notes marked as unresolved threads. The exposure could reveal sensitive internal discussions to unauthorized external users.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Sensitive internal discussions about security issues, code vulnerabilities, or business decisions are exposed to unauthorized external users, potentially leading to information disclosure that could be leveraged for further attacks.
Likely Case
Unauthorized users can view internal team discussions, comments about code quality, or minor operational details that were intended to remain private within the organization.
If Mitigated
With proper access controls and monitoring, the impact is limited to viewing non-critical internal discussions, though still represents an information disclosure violation.
🎯 Exploit Status
Exploitation requires no authentication - any internet user can access affected public merge requests. The vulnerability is simple to exploit by navigating to public project merge requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.4.6, 17.5.4, 17.6.2
Vendor Advisory: https://gitlab.com/gitlab-org/gitlab/-/issues/486300
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 17.4.6, 17.5.4, or 17.6.2 depending on your current version. 3. Restart GitLab services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Convert Public Projects to Private
allTemporarily change affected public projects to private to prevent unauthorized access while planning the upgrade.
Navigate to Project Settings > General > Visibility, project, feature, and permissions > Change project visibility to Private
Disable Merge Request Notes
allTemporarily disable notes on merge requests in public projects to prevent exposure of internal discussions.
Navigate to Project Settings > General > Merge requests > Disable 'Allow users to comment on merge requests'
🧯 If You Can't Patch
- Monitor access logs for unauthorized viewing of merge request threads in public projects
- Implement web application firewall rules to block suspicious access patterns to merge request endpoints
🔍 How to Verify
Check if Vulnerable:
Check if your GitLab version falls within affected ranges: 15.0-17.4.5, 17.5.0-17.5.3, or 17.6.0-17.6.1Check Version:
sudo gitlab-rake gitlab:env:info | grep 'Version:'Verify Fix Applied:
After updating, verify the version is 17.4.6, 17.5.4, or 17.6.2 or higher, then test that non-members cannot view internal notes in public project merge requests📡 Detection & Monitoring
Log Indicators:
- Unauthorized user access to /merge_requests/* endpoints
- Multiple failed authentication attempts followed by merge request access
Network Indicators:
- Unusual traffic patterns to merge request endpoints from external IPs
- Increased requests to /api/v4/projects/*/merge_requests/*
SIEM Query:
source="gitlab" AND (uri_path="/merge_requests/*" OR uri_path="/api/v4/projects/*/merge_requests/*") AND user_id="-1" OR user="anonymous"