CVE-2024-0402 Overview
CVE-2024-0402 is a critical path traversal vulnerability discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) that allows authenticated users to write files to arbitrary locations on the GitLab server. This vulnerability exists in the workspace creation functionality, enabling attackers with valid credentials to bypass intended directory restrictions and potentially achieve remote code execution by writing malicious files to sensitive system locations.
Critical Impact
Authenticated attackers can write arbitrary files to any location on the GitLab server, potentially leading to remote code execution, data corruption, or complete system compromise.
Affected Products
- GitLab Community Edition (CE) versions 16.0 to 16.6.5
- GitLab Enterprise Edition (EE) versions 16.0 to 16.6.5
- GitLab CE/EE versions 16.7 to 16.7.3
- GitLab CE/EE version 16.8.0
Discovery Timeline
- 2024-01-25 - GitLab releases critical security patch
- 2024-01-26 - CVE-2024-0402 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-0402
Vulnerability Analysis
This vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) stems from insufficient validation of file paths during the workspace creation process in GitLab. When an authenticated user creates a workspace, the application fails to properly sanitize user-supplied input, allowing path traversal sequences to escape the intended workspace directory.
The vulnerability is particularly severe because it can be exploited over the network by any authenticated user, regardless of their privilege level. The changed scope indicator in the vulnerability assessment means that successful exploitation can affect resources beyond the vulnerable component's security scope, potentially impacting the underlying operating system and other services running on the same server.
Root Cause
The root cause is a path traversal vulnerability (CWE-22) in the workspace creation feature. The application does not adequately validate or sanitize file path inputs during workspace creation, allowing attackers to include directory traversal sequences (such as ../) in file paths. This enables writing files outside the intended workspace directory to arbitrary locations on the filesystem accessible by the GitLab service account.
Attack Vector
The attack can be executed remotely over the network by any authenticated GitLab user. The attacker crafts a malicious workspace creation request containing path traversal sequences in the file path parameters. When the server processes this request, it writes the attacker-controlled content to an arbitrary location on the filesystem.
This could be leveraged to:
- Overwrite critical configuration files
- Plant SSH authorized keys for persistent access
- Write webshells or cron jobs for code execution
- Corrupt or replace application binaries
The technical details of the exploitation mechanism can be found in the GitLab Issue Tracker Discussion and the GitLab Security Release Announcement.
Detection Methods for CVE-2024-0402
Indicators of Compromise
- Unexpected files appearing in system directories outside of GitLab workspace paths
- Modified configuration files with unusual timestamps corresponding to workspace creation activities
- Anomalous file write operations in system logs referencing the GitLab service account
- New SSH authorized_keys entries or cron jobs not created by administrators
Detection Strategies
- Monitor GitLab application logs for workspace creation requests containing path traversal patterns (../, ..%2f, ..%5c)
- Implement file integrity monitoring (FIM) on critical system directories and configuration files
- Audit file system changes made by the GitLab service account outside of expected directories
- Deploy web application firewall (WAF) rules to detect and block path traversal attempts
Monitoring Recommendations
- Enable verbose logging for workspace creation operations in GitLab
- Configure real-time alerts for file modifications in sensitive directories such as /etc/, /root/, and cron directories
- Review GitLab audit logs for unusual workspace creation patterns or high-frequency requests from single users
- Implement network-level monitoring for unusual outbound connections that may indicate post-exploitation activity
How to Mitigate CVE-2024-0402
Immediate Actions Required
- Upgrade GitLab CE/EE to version 16.8.1, 16.7.4, or 16.6.6 immediately
- Review system logs and file integrity reports for signs of exploitation
- Audit recently created workspaces for suspicious activity
- Temporarily disable workspace creation functionality if immediate patching is not possible
Patch Information
GitLab has released security patches addressing this vulnerability. Organizations should upgrade to one of the following patched versions based on their current release branch:
- GitLab 16.8.1 for installations running 16.8.x
- GitLab 16.7.4 for installations running 16.7.x
- GitLab 16.6.6 for installations running 16.6.x or earlier 16.x versions
Detailed patch information is available in the GitLab Security Release Announcement.
Workarounds
- Restrict workspace creation permissions to trusted users only until patching can be completed
- Implement additional file system access controls limiting where the GitLab service account can write files
- Deploy network segmentation to limit the blast radius of potential compromises
- Enable enhanced logging and monitoring to detect exploitation attempts
# Check current GitLab version
gitlab-rake gitlab:env:info
# Upgrade GitLab to patched version (Omnibus installation)
sudo apt-get update && sudo apt-get install gitlab-ee=16.8.1-ee.0
# Verify the upgrade
gitlab-rake gitlab:check
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
