CVE-2024-8754
📋 TL;DR
This vulnerability allows attackers to squat on GitLab accounts by linking arbitrary unclaimed provider identities when JWT authentication is configured. It affects GitLab EE/CE instances with specific version ranges where improper input validation exists. Organizations using affected GitLab versions with JWT authentication enabled are at risk.
💻 Affected Systems
- GitLab EE
- GitLab CE
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Attackers could take over legitimate user accounts by linking unauthorized external identities, potentially gaining access to sensitive repositories, CI/CD pipelines, and internal systems.
Likely Case
Account takeover of users who haven't linked external identities yet, leading to unauthorized access to projects and potential data exfiltration.
If Mitigated
Limited to attempted account linking that fails due to proper validation, with no actual account compromise.
🎯 Exploit Status
Requires JWT authentication configuration and ability to interact with authentication endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.1.7, 17.2.5, 17.3.2 or later
Vendor Advisory: https://gitlab.com/gitlab-org/gitlab/-/issues/464062
Restart Required: Yes
Instructions:
1. Backup GitLab instance. 2. Update to patched version using package manager (apt/yum) or Omnibus. 3. Restart GitLab services. 4. Verify update with gitlab-rake gitlab:env:info.
🔧 Temporary Workarounds
Disable JWT Authentication
linuxTemporarily disable JWT authentication provider if not essential
Edit gitlab.rb: omniauth['providers'] = []
Reconfigure: gitlab-ctl reconfigure
🧯 If You Can't Patch
- Disable JWT authentication provider entirely
- Implement network segmentation to restrict access to GitLab authentication endpoints
🔍 How to Verify
Check if Vulnerable:
Check GitLab version and JWT configuration: gitlab-rake gitlab:env:info | grep Version && grep -i jwt /etc/gitlab/gitlab.rbCheck Version:
gitlab-rake gitlab:env:info | grep 'Version:'Verify Fix Applied:
Confirm version is 17.1.7+, 17.2.5+, or 17.3.2+ and test JWT authentication functionality📡 Detection & Monitoring
Log Indicators:
- Unusual JWT authentication attempts
- Multiple failed identity linking attempts
- Account linking from unexpected providers
Network Indicators:
- Unusual traffic to /users/auth/jwt endpoints
- Spike in authentication API calls
SIEM Query:
source="gitlab" AND (uri_path="/users/auth/jwt" OR message="*jwt*" OR message="*identity*link*")