CVE-2024-0861 Overview
CVE-2024-0861 is an authorization flaw in GitLab Enterprise Edition (EE) that allows users with the Guest role to modify Custom dashboard projects settings. The issue violates the role-based access control model, which restricts configuration changes to users with elevated privileges. GitLab disclosed the vulnerability on February 22, 2024, and tracks it under [CWE-425] (Direct Request, or Forced Browsing). Affected versions include GitLab EE 16.4 through 16.7.6, 16.8 through 16.8.3, and 16.9 through 16.9.1. The flaw requires only low-privileged authenticated access and no user interaction.
Critical Impact
Authenticated Guest users can alter Custom dashboard projects configuration, undermining project-level access boundaries in GitLab EE deployments.
Affected Products
- GitLab EE versions 16.4 through 16.7.6
- GitLab EE versions 16.8 through 16.8.3
- GitLab EE versions 16.9 through 16.9.1
Discovery Timeline
- 2024-02-22 - CVE-2024-0861 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-0861
Vulnerability Analysis
The flaw is an authorization bypass in the Custom dashboard projects settings within GitLab EE. GitLab's permission model assigns the Guest role the lowest set of privileges, intended for read-mostly access to issues and public artifacts. Modifying analytics or dashboard configuration is reserved for Maintainer or Owner roles. This vulnerability lets a Guest user submit configuration changes that should be rejected by the authorization layer. The CWE classification of [CWE-425] indicates that the affected endpoint accepts direct requests without validating the requester's role.
Root Cause
The root cause is a missing or incomplete permission check on the controller or service that updates Custom dashboard projects settings. The backend trusts the request based on authentication rather than verifying the caller's role against the required access level. As a result, the policy that gates this setting does not enforce the documented role hierarchy. This is a classic broken access control pattern in a multi-tenant SaaS application.
Attack Vector
An attacker needs an authenticated Guest account on a vulnerable GitLab EE instance. The attacker issues a crafted request to the settings endpoint that updates Custom dashboard projects. No social engineering, user interaction, or chained vulnerability is required. The integrity impact is limited because the affected setting controls dashboard project references rather than source code or pipeline execution. Refer to the GitLab Issue #439240 and the HackerOne Report #2316435 for the technical write-up.
No public exploit code is available for this issue, and it is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2024-0861
Indicators of Compromise
- Unexpected modifications to Custom dashboard projects settings in group or project configuration audit events.
- Audit log entries that show settings changes performed by users whose role is Guest.
- Configuration drift in analytics dashboards that does not correspond to a change request from a Maintainer or Owner.
Detection Strategies
- Review GitLab audit events for the custom_dashboard_projects setting and correlate the actor's role at the time of the change.
- Query the GitLab API for current dashboard project assignments and compare against a known-good baseline.
- Alert on any settings-mutation API call where the authenticated session belongs to a Guest member.
Monitoring Recommendations
- Forward GitLab audit logs to a central SIEM or data lake and build detections for role-versus-action mismatches.
- Track the version string returned by the GitLab /api/v4/version endpoint to confirm patched builds are deployed.
- Monitor administrative settings endpoints for anomalous request volume from low-privilege accounts.
How to Mitigate CVE-2024-0861
Immediate Actions Required
- Upgrade GitLab EE to 16.7.6, 16.8.3, or 16.9.1 or later as applicable to your release branch.
- Audit recent changes to Custom dashboard projects settings and revert any unauthorized modifications.
- Review group and project membership and remove stale or unnecessary Guest accounts.
Patch Information
GitLab released fixed versions 16.7.6, 16.8.3, and 16.9.1 that enforce the correct role check on Custom dashboard projects settings. Customers running GitLab.com are already on patched code. Self-managed GitLab EE administrators should apply the upgrade through the standard package or Helm chart pipeline. Details are documented in GitLab Issue #439240.
Workarounds
- If immediate patching is not possible, restrict Guest role assignments and limit external user invitations to vulnerable instances.
- Disable or remove Custom dashboard projects configuration on sensitive groups until the upgrade is applied.
- Place the GitLab instance behind a reverse proxy that enforces additional authorization checks on settings endpoints where feasible.
# Verify the running GitLab version on a self-managed instance
sudo gitlab-rake gitlab:env:info | grep "GitLab information" -A 5
# Example upgrade path on an Omnibus package (Debian/Ubuntu)
sudo apt-get update && sudo apt-get install gitlab-ee=16.9.1-ee.0
sudo gitlab-ctl reconfigure
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
