A security vulnerability has been discovered in GitLab CE/EE, affecting all versions starting from 16.4 to 17.5.5, starting from 17.6 to 17.6.3, and starting from 17.7 to 17.7.1. The issue, identified as CVE-2024-13041, concerns the creation of users via the SAML provider, specifically the external groups setting. This configuration issue poses a serious threat to the integrity and security of internal projects and groups within GitLab CE/EE instances.

More Details on the Vulnerability

When a user is created using the SAML provider in GitLab, the external groups setting is intended to override the external provider configuration. However, due to the discovered vulnerability, the user may not be marked as "external," leading to unauthorized access to internal projects and groups.

Exploiting this vulnerability requires an adversary to have access to the target GitLab instance in such a way that they can leverage the external groups setting and the SAML provider to create malicious user accounts or modify existing user accounts.

Below is a code snippet showcasing the bug present in the affected GitLab versions

  def external_user?
    if provider == 'saml'
      external_groups_setting = Gitlab::CurrentSettings.external_authorization_service_defaults_to_provider_saml
    else
      external_groups_setting = Gitlab::CurrentSettings.external_authorization_service_enabled
    end

    return true if external_groups_setting && external_groups.present?

In this particular code snippet, the external_user? method is checking whether a user should be treated as "external" by evaluating the current external groups setting. The bug lies in the logic that sets the external_groups_setting to the external_authorization_service_enabled value for other providers instead of the SAML provider.

Original References

- GitLab Security Release: 2024-05-22 Security Release

- SAML SSO configuration: GitLab SAML SSO Configuration Instructions

- External Authorization: Configuring External Authorization

Mitigation and Recommendations

GitLab has released a critical security patch to address this vulnerability in the affected versions. Users are strongly advised to update their GitLab instances to the latest versions, listed below:

- 17.5.5 for GitLab CE/EE 17.5.x users
- 17.6.3 for GitLab CE/EE 17.6.x users
- 17.7.1 for GitLab CE/EE 17.7.x users

Moreover, security teams are recommended to audit user accounts, external groups settings, and SAML configuration in their GitLab instances to ensure the integrity and privacy of internal projects and groups. Access control policies should be reviewed and updated to prevent unauthorized access to sensitive data and resources.

Conclusion

CVE-2024-13041 is a critical security vulnerability that affects multiple versions of GitLab CE/EE. The issue lies in the incorrect handling of external group settings during user creation via the SAML provider. This vulnerability can lead to unauthorized access to internal projects and groups, compromising their integrity and security. Users are strongly advised to update their GitLab instances and assess their access control policies to mitigate this issue.

Timeline

Published on: 01/09/2025 07:15:26 UTC