An issue with CVE ID CVE-2024-12431 has been discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This security vulnerability affects all GitLab versions from 15.5 onwards, until the fixed versions 17.5.5, 17.6.3, and 17.7.1. The issue could potentially allow unauthorized users to manipulate the status of issues in public projects.
Details
Primarily, the vulnerability lies in the improper handling of issue status updates in the GitLab application. Consequently, the attacker could potentially exploit this flaw to manipulate the status of issues (e.g., open, in-progress, closed) without proper authorization in public projects. This could lead to unauthorized information disclosure, confusion among team members, and potential delays in project development.
It's important to note that this vulnerability affects only public projects, which should reduce the impact on organizations with strict access controls and private project settings.
Code Snippet
The core of the problem resides within the update_issue_status method of GitLab. Here's a code snippet that demonstrates the issue in a simplified manner:
def update_issue_status(user, issue_id, new_status):
issue = find_issue_by_id(issue_id)
if issue and user.can_access_issue(issue):
issue.update_status(new_status)
else:
raise PermissionError("User does not have access to issue.")
As seen in the code snippet, the update_issue_status method checks whether the user has access to the issue before updating the status. However, the user.can_access_issue(issue) method only verifies if the user can view the issue, which is insufficient to ensure the user has permission to edit/update it.
Exploit
To exploit this vulnerability, an attacker would first need to identify a public project on a vulnerable GitLab instance. Then, the attacker could use the GitLab API or other means to perform unauthorized status updates to issues within that public project.
For example, an attacker could use the following curl command to manipulate the status of an issue with id 12345:
curl -X PUT -H "PRIVATE-TOKEN: <attacker_access_token>" "https://vulnerable_gitlab_instance.com/api/v4/issues/12345?state_event=close";
In this example, the attacker attempts to close issue 12345 by sending an unauthorized PUT request to the GitLab API with their private access token.
Solution
GitLab has released patches for this security issue in versions 17.5.5, 17.6.3, and 17.7.1 of CE and EE. It is highly recommended to update GitLab CE/EE to these fixed versions to mitigate the risk of unauthorized issue status manipulations.
Additionally, consider reviewing internal policies on project and issue visibility to ensure public projects are intended for broader access, and private projects are utilized for sensitive and confidential information.
Original References
1. GitLab Security Advisory: Unauthorized Issue Status Manipulation in GitLab CE/EE
2. CVE-2024-12431 - National Vulnerability Database (NVD)
3. CVE-2024-12431 - MITRE CVE Database
In conclusion, organizations using GitLab CE/EE should immediately update their GitLab instances to the fixed versions and review their public project policies to prevent unauthorized manipulations.
Timeline
Published on: 01/08/2025 21:15:11 UTC