Overview
GitLab CE/EE, the open-source web-based DevOps lifecycle tool, has been hit by a critical vulnerability, tagged as CVE-2024-4994. This vulnerability affects all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, and all versions starting from 17.1.0 before 17.1.1. The vulnerability allows for a Cross-Site Request Forgery (CSRF) attack on GitLab’s GraphQL API, leading to the execution of arbitrary GraphQL mutations. This could potentially compromise the system or lead to data leakage, affecting companies and developers using the affected versions of GitLab CE/EE. It is a critical concern due to its high CVSS Severity Score of 8.1.
Vulnerability Summary
CVE ID: CVE-2024-4994
Severity: Critical (CVSS: 8.1)
Attack Vector: Network
Privileges Required: Low
User Interaction: Required
Impact: Potential system compromise or data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
GitLab CE/EE | 16.1.0 before 16.11.5
GitLab CE/EE | 17.0.0 before 17.0.3
GitLab CE/EE | 17.1.0 before 17.1.1
How the Exploit Works
The exploit works by taking advantage of GitLab’s inadequate anti-CSRF controls in its GraphQL API. An attacker can trick a victim into visiting a malicious web page or clicking a link, which then sends a forged request to the vulnerable GitLab instance. The server, failing to identify this request as coming from an untrusted source, processes the request as though it originated from the victim, leading to the execution of arbitrary GraphQL mutations. This could result in unauthorized changes to data, potential system compromise, or data leakage.
Conceptual Example Code
Conceptually, the exploit can be performed using a malicious HTTP request, which might look something like this:
POST /api/graphql HTTP/1.1
Host: victim-gitlab-instance.com
Content-Type: application/json
Cookie: [Victim's GitLab session cookie]
{
"query": "mutation { someArbitraryMutation(...) { ... } }"
}In the above example, “someArbitraryMutation” would be replaced with an actual GraphQL mutation intended to perform unauthorized actions on the victim’s GitLab instance.
Mitigation Guidance
The best way to mitigate this vulnerability is by applying the vendor patch. GitLab has released updates to fix this vulnerability in the affected versions. Users are advised to upgrade to the latest version available immediately. If upgrading is not immediately possible, using a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can provide temporary mitigation by blocking or alerting on suspicious requests. However, this is a temporary solution and does not address the underlying vulnerability. Therefore, it is strongly advised to apply the vendor patch as soon as possible.