On June 2nd, 2024, the GitLab security team published an advisory about a serious Cross-Site Scripting (XSS) vulnerability affecting the popular code collaboration service, GitLab CE/EE. Tracked as CVE-2024-8312, this bug opened the door for attackers to inject malicious HTML and JavaScript directly into the Global Search field on a diff view. In this post, we’ll break down exactly what happened, how it could be exploited, and what you should do to stay safe.

CVE-2024-8312 impacts

- GitLab CE/EE versions:

17.5 before 17.5.1

It’s a classic XSS—an old school web security bug with dangerous modern consequences. By inserting crafted HTML/JavaScript into the Global Search field on a "diff view" page, attackers could run their code in the context of any user who viewed the search results.

In Plain English

If an attacker lured a maintainer (or anyone with access) into running a search with their code, the attacker could pop up fake logins, steal credentials, take actions on behalf of users, or spread the attack deeper.

Deep Dive: The Exploit

When you open a pull request or code change (“merge request”) in GitLab, you see a "diff view," showing what’s changed. At the top of this view, there’s a search bar to help find lines in the diff. Unfortunately, GitLab failed to properly sanitize (“clean up”) user-provided input in this search field.

How the XSS Works (In Simple Steps)

1. An attacker crafts a special search query containing HTML/JavaScript.

Here’s an example of an evil search query parameter

?q=%3Cimg%20src%3Dx%20onerror%3Dalert(%27XSS%27)%3E

Decoded, that’s

<img src=x onerror=alert('XSS')>

POC URL Structure

https://gitlab.example.com/namespace/project/merge_requests/123/diffs?q=<img src=x onerror=alert('XSS')>

If you follow this link (on a vulnerable GitLab version), a JavaScript alert box pops up—proof the attacker’s code is running.

Step-By-Step: Building an Exploit

1. Find any open merge request in a vulnerable GitLab instance.
Let’s say the path is: /my-group/my-app/merge_requests/456/diffs

2. Create a malicious search query

<script>alert('Hacked by XSS')</script>

URL encode

%3Cscript%3Ealert('Hacked by XSS')%3C%2Fscript%3E

https://gitlab.example.com/my-group/my-app/merge_requests/456/diffs?q=%3Cscript%3Ealert('Hacked by XSS')%3C%2Fscript%3E

4. Send to your target.
The victim visits the link and, boom—their browser executes your JavaScript.

Technical Explanation

At fault is the lack of output escaping or input sanitization for the search query used in the results rendering. When the diff page inserts the raw search value into the HTML, browsers interpret any tags or events as legit code to run.

GitLab’s Official Fix

GitLab’s maintainers have fixed the bug by tightly escaping or stripping user input in the search field. See their official advisory & patch notes:

- GitLab Security Release: CVE-2024-8312
- NVD Entry for CVE-2024-8312

17.3.6 or later (17.4.3+, 17.5.1+)

If you’re running older versions, upgrade immediately! This XSS is trivial to exploit.

References

- GitLab Security Release
- CVE-2024-8312 - NVD Database

Conclusion

CVE-2024-8312 is a reminder that even seemingly harmless features like a search box can become a gateway for attackers if user input is not properly treated. While GitLab has acted quickly, the ease of exploitation means all GitLab administrators must act fast to upgrade.

If you learned from this article or want more deep dives in plain English, follow our blog for the latest in software security threats. Stay safe and keep patching!


*This post is exclusive to Security Insights Blog. Please link back if you share excerpts or insights!*

Timeline

Published on: 10/24/2024 10:15:03 UTC
Last modified on: 12/13/2024 15:43:23 UTC