A recent vulnerability (CVE-2024-1211) has been discovered in GitLab CE/EE versions 10.6 to 16.9.7, 16.10 to 16.10.5, and 16.11 to 16.11.2 affecting GitLab instances configured to use JSON Web Tokens (JWT) as an OmniAuth provider. This vulnerability enables attackers to exploit a Cross-site Request Forgery (CSRF) flaw, potentially compromising users' accounts and the entire GitLab instance.
Vulnerability Details
The vulnerability exists due to the improper implementation of CSRF protection mechanisms in GitLab instances using JWT as an OmniAuth provider. Attackers can exploit this vulnerability by forging HTTP requests, effectively taking advantage of the user's current session with GitLab. Successful exploitation can lead to unauthorized modification of user account data or even unauthorized execution of administrative actions on the affected GitLab instance.
The following code snippet is an example of how to implement JWT as an OmniAuth provider in GitLab
omniauth:
enabled: true
providers:
- { name: 'jwt', label: 'My JWT Provider', args: { client_options: { auth_url: 'https://<your_gitlab_instance>/oauth/token';, user_info_url: 'https://<your_gitlab_instance>/api/v4/user';, site: 'https://<your_gitlab_instance>';, redirect_url: 'https://<your_gitlab_instance>/users/auth/jwt/callback'; }, algorithm: 'HS256', secret: '<your_jwt_secret_key>' } }
This code was prone to CSRF vulnerability until the security patch was applied in later GitLab versions to mitigate the risks.
Users are strongly advised to update their GitLab instance to the latest versions mentioned below
- For GitLab CE/EE starting from version 10.6, update to 16.9.7
- For GitLab CE/EE starting from version 16.10, update to 16.10.5
- For GitLab CE/EE starting from version 16.11, update to 16.11.2
These updates include security patches to mitigate the CSRF vulnerability and ensure the proper functioning of the instance.
Original References
- GitLab Advisory: GitLab Security Advisory: 2024-09-07
- NIST: CVE-2024-1211 Detail
Conclusion
It is crucial to maintain the security and integrity of your GitLab instance. Users are strongly encouraged to update their GitLab instances according to the recommended patch versions provided by GitLab. By updating your GitLab instance, you are implementing the necessary security measures to ensure that your accounts and projects are safe from unauthorized access and exploitation.
Remember, cybersecurity is an ongoing process. Stay informed about vulnerabilities and security patches to ensure the safety of your applications and data.
Timeline
Published on: 01/31/2025 00:15:08 UTC