CVE-2024-0199 Overview
An authorization bypass vulnerability was discovered in GitLab affecting versions 11.3 prior to 16.7.7, 16.7.6 prior to 16.8.4, and 16.8.3 prior to 16.9.2. An attacker could bypass CODEOWNERS by utilizing a crafted payload in an old feature branch to perform malicious actions. This vulnerability allows authenticated users to circumvent code review requirements established through the CODEOWNERS mechanism, potentially enabling unauthorized code changes to protected files and directories.
Critical Impact
Attackers can bypass CODEOWNERS protection to commit unauthorized changes to protected code paths, undermining code review workflows and potentially introducing malicious code into production repositories.
Affected Products
- GitLab Community Edition versions 11.3 to 16.7.6
- GitLab Enterprise Edition versions 11.3 to 16.7.6
- GitLab Community Edition versions 16.7.6 to 16.8.3
- GitLab Enterprise Edition versions 16.7.6 to 16.8.3
- GitLab Community Edition versions 16.8.3 to 16.9.1
- GitLab Enterprise Edition versions 16.8.3 to 16.9.1
Discovery Timeline
- March 6, 2024 - GitLab releases security patch in version 16.9.2
- March 7, 2024 - CVE-2024-0199 published to NVD
- December 11, 2024 - Last updated in NVD database
Technical Details for CVE-2024-0199
Vulnerability Analysis
This authorization bypass vulnerability (CWE-863: Incorrect Authorization) affects GitLab's CODEOWNERS functionality, which is designed to enforce mandatory code reviews from specific individuals or teams for designated files and directories. The vulnerability allows an authenticated attacker to craft a malicious payload within an old feature branch that circumvents these authorization checks.
The CODEOWNERS feature is a critical security control in GitLab that ensures changes to sensitive code paths require approval from designated reviewers. By bypassing this mechanism, attackers can merge changes without obtaining required approvals, effectively undermining the entire code review security model.
Root Cause
The root cause stems from improper authorization validation in GitLab's merge request handling when dealing with old feature branches. The CODEOWNERS validation logic fails to properly enforce approval requirements under specific conditions involving legacy branch states, allowing the authorization check to be bypassed with a specially crafted payload.
Attack Vector
The attack is network-based and requires low privileges (authenticated user access). An attacker with repository access can exploit this vulnerability by:
- Identifying or creating an old feature branch in a target repository
- Crafting a specific payload that exploits the authorization validation flaw
- Submitting changes that would normally require CODEOWNERS approval
- Successfully merging the changes without obtaining required code owner approvals
The vulnerability is particularly dangerous in enterprise environments where CODEOWNERS is relied upon as a security control for protecting critical codebases, configuration files, or infrastructure-as-code definitions.
Detection Methods for CVE-2024-0199
Indicators of Compromise
- Merge requests that were approved and merged without required CODEOWNERS approvals
- Unusual merge activity from old or stale feature branches
- Changes to CODEOWNERS-protected files without corresponding approval audit trails
- Merge request activity patterns that bypass normal code review workflows
Detection Strategies
- Audit GitLab merge request logs for merges that bypassed CODEOWNERS requirements
- Review repository protected branch configurations and recent merge activity
- Monitor for changes to sensitive files defined in CODEOWNERS without proper approvals
- Implement additional logging around merge request approval workflows
Monitoring Recommendations
- Enable detailed audit logging for merge request approvals in GitLab
- Set up alerts for merges to protected branches from branches older than a defined threshold
- Regularly audit CODEOWNERS compliance through GitLab's built-in compliance features
- Monitor for any unauthorized modifications to security-critical code paths
How to Mitigate CVE-2024-0199
Immediate Actions Required
- Upgrade GitLab immediately to version 16.9.2 or later
- For GitLab 16.8.x users, upgrade to at least version 16.8.4
- For GitLab 16.7.x users, upgrade to at least version 16.7.7
- Audit recent merge request activity for any unauthorized bypasses of CODEOWNERS rules
- Review and validate that CODEOWNERS protections are functioning correctly after patching
Patch Information
GitLab has released security patches addressing this vulnerability. Organizations should upgrade to the following versions or later:
- GitLab 16.9.2 (recommended)
- GitLab 16.8.4 (for 16.8.x branch)
- GitLab 16.7.7 (for 16.7.x branch)
For detailed patch information, refer to the GitLab Security Release Announcement. Additional technical details can be found in the GitLab Issue #436977 and the HackerOne Report #2295423.
Workarounds
- Implement additional merge request approval rules beyond CODEOWNERS as a defense-in-depth measure
- Restrict merge permissions to trusted maintainers while awaiting patching
- Consider enabling branch protection rules requiring multiple approvers
- Audit and clean up stale feature branches that could be exploited
- Implement external code review tooling as a supplementary control until patching is complete
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
