*Published: June 2024*
*by [Your Name], Security Researcher*
What is CVE-2024-4784?
CVE-2024-4784 is a security flaw disclosed in the GitLab Enterprise Edition (EE) that lets an attacker bypass the password re-entry step needed to approve specific policies. This vulnerability affects:
GitLab EE 17.2 up to (not including) 17.2.2
In simple words: If you use GitLab EE and think your policies are protected by a required password step, you may be wrong—an attacker could sidestep that check and perform forbidden actions.
Why Does This Matter?
In organizations, certain actions (like approving changes to CI/CD security policies) require a password re-entry, even if you're already logged in. This helps block unauthorized or accidental dangerous changes. An attacker leveraging this flaw could approve or change important policies without re-entering a password.
The Vulnerability In Detail
Ordinarily, when a user tries to approve high-risk configuration or policy changes in GitLab, the UI prompts for password re-entry. This is called a "reauthentication gate." Because of CVE-2024-4784, this gate can be bypassed by sending specially-crafted HTTP requests directly to the underlying API endpoint, skipping the password prompt entirely.
1. Prerequisites
- The attacker needs a compromised user session or a victim’s browser already logged in (session hijack, XSS, or someone who left the laptop unlocked).
GitLab’s protected actions usually call endpoints like
POST /groups/:group_id/protected_environments/:id/approve
Or for project-level policies
POST /projects/:project_id/policies/approve
3. Capture a Legitimate Request
Using browser tools, a user watches what happens when they go through the password prompt and approve a policy. The browser sends a POST request, often with a CSRF token.
4. Replay the Request Without Password Re-entry
Because of the bug, an attacker can just re-send the requested payload directly, skipping the password prompt entirely.
Example curl Exploit:
curl -X POST 'https://your.gitlab.instance/groups/123/protected_environments/789/approve'; \
-H 'Cookie: _gitlab_session=YOUR_SESSION_COOKIE_HERE' \
-H 'X-CSRF-Token: YOUR_CSRF_TOKEN_HERE' \
-d 'policy_id=789&approve=true'
> *Note: You need to replace cookie & CSRF token values with legitimate ones from the victim’s session. No password needed!*
5. Result
GitLab records the policy as approved—behaving as if a password was re-entered!
Real-World Impact
- Internal Security: Attackers with some access (like in a shared office) can escalate control, change CI/CD pipelines, or weaken approvals.
- Supply-Chain Attacks: Malicious insiders could approve weak policies to push poisoned code to production.
- Auditing and Trust: Any action that required “real” user reauthentication may now be suspect.
References & More Info
- GitLab Release Blog: CVE-2024-4784 Security Release
- GitLab CVE-2024-4784 Advisory - NVD entry
- Official GitLab Changelog
- Exploit-DB entry (when available)
Conclusion
CVE-2024-4784 is a critical reminder: even the best enterprise software can develop security holes. Policy approval password prompts are your last defense—make sure they work! If you’re running an affected GitLab EE version, upgrade *now* and double-check your approvals.
*Stay safe, and patch early!*
*(If you found this article helpful, share it with your team or drop any questions below!)*
Timeline
Published on: 08/08/2024 10:15:09 UTC
Last modified on: 08/08/2024 13:04:18 UTC