Session Data Exfiltration Vulnerability in GitLab CE/EE

CVE-2024-11274

8.7HIGH

Key Information

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 12 December 2024

What is CVE-2024-11274?

CVE-2024-11274 is a vulnerability identified in GitLab Community Edition (CE) and Enterprise Edition (EE), affecting several specific versions of the software. GitLab is a widely-used platform for managing software development, including source code management, issue tracking, and CI/CD pipelines. This vulnerability allows for the injection of Network Error Logging (NEL) headers in Kubernetes proxy responses, which could potentially lead to the exfiltration of session data. Such unauthorized exposure of sensitive session information poses a significant risk for organizations utilizing GitLab, as it could facilitate unauthorized access and manipulation of project repositories or sensitive data workflows.

Technical Details

The vulnerability specifically impacts GitLab versions starting from 16.1 up to, but not including, 17.4.6; starting from 17.5 up to, but not including, 17.5.4; and starting from 17.6 up to, but not including, 17.6.2. The core issue arises from the improper handling of NEL headers within responses processed by the Kubernetes proxy, which can lead to unauthorized access to session-related information. As such, this vulnerability presents a critical target for potential attackers when it comes to accessing ongoing sessions and credentials held by users interacting with the GitLab instance.

Potential Impact of CVE-2024-11274

Session Data Exposure: If exploited, this vulnerability allows attackers to extract session data, which can include sensitive information related to user interactions. Gaining access to session data can enable unauthorized users to impersonate legitimate users, thereby compromising account integrity.
Increased Risk of Data Breaches: Access to session information can lead to broader data breaches within an organization. Attackers may leverage this access to extract confidential project details, intellectual property, or customer data stored within GitLab instances, leading to severe reputational and financial damage.
Disruption of Development Workflows: The ability to manipulate session data could disrupt or hinder ongoing development workflows, potentially leading to unauthorized modifications or data losses within critical projects. Such disruptions can halt productivity and negatively impact project timelines and deliverables.

Affected Version(s)

GitLab < 17.4.6

GitLab < 17.5.4

GitLab < 17.6.2

Refferences

https://gitlab.com/gitlab-org/gitlab/-/issues/504707

issue-trackingpermissions-required

https://hackerone.com/reports/2813673

technical-descriptionexploitpermissions-required

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 12, 2024

Collectors

NVD DatabaseMitre Database

Credit

Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program.