CVE-2024-2743 Overview
An authorization bypass vulnerability has been discovered in GitLab Enterprise Edition (EE) that allows an attacker to modify on-demand Dynamic Application Security Testing (DAST) scan configurations without proper permissions and leak sensitive variables. This flaw affects GitLab-EE installations starting with version 13.3 through various patch levels across the 17.x release branch.
Critical Impact
Unauthorized modification of DAST scan configurations combined with variable leakage could expose sensitive CI/CD secrets, API keys, and credentials used in security testing workflows, potentially leading to broader infrastructure compromise.
Affected Products
- GitLab Enterprise Edition 13.3 to before 17.1.7
- GitLab Enterprise Edition 17.2 to before 17.2.5
- GitLab Enterprise Edition 17.3 to before 17.3.2
Discovery Timeline
- 2024-09-11 - GitLab releases security patch (versions 17.1.7, 17.2.5, 17.3.2)
- 2024-09-12 - CVE-2024-2743 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-2743
Vulnerability Analysis
This vulnerability is classified as CWE-863: Incorrect Authorization, indicating that the application fails to properly verify whether a user is authorized to perform specific actions on DAST scan resources. The flaw allows attackers to interact with on-demand DAST scan configurations they should not have access to.
The vulnerability enables two distinct attack outcomes: unauthorized modification of DAST scan parameters and extraction of variables configured within the scan. These variables often contain sensitive data such as authentication tokens, API credentials, or environment-specific secrets required for authenticated DAST scans against protected applications.
Root Cause
The root cause stems from improper authorization checks in the DAST scan management functionality within GitLab Enterprise Edition. When processing requests to modify or access DAST scan configurations, the application fails to adequately verify that the requesting user has the necessary permissions for the target scan resource. This authorization gap allows users with lower privileges or even unauthenticated attackers to manipulate scan configurations across project boundaries.
Attack Vector
The vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker can craft malicious requests to the GitLab API or web interface targeting DAST scan endpoints. By manipulating object identifiers or exploiting the missing authorization checks, the attacker can:
- Access DAST scan configurations belonging to other projects or users
- Modify scan parameters such as target URLs, authentication settings, or scan profiles
- Extract configured variables containing sensitive credentials or secrets
The attack does not require special privileges, making it accessible to external threat actors who can reach the GitLab instance. For detailed technical information, refer to the GitLab Issue #451014 and the HackerOne Report #2411756.
Detection Methods for CVE-2024-2743
Indicators of Compromise
- Unexpected modifications to DAST scan configurations or profiles
- Unusual API calls to DAST-related endpoints from unauthorized users or IP addresses
- Audit log entries showing DAST scan access or modifications by users without project membership
- Variables or secrets appearing in unexpected contexts or being accessed outside normal workflows
Detection Strategies
- Monitor GitLab audit logs for unauthorized access patterns to DAST scan resources
- Implement alerting on DAST configuration changes from users who should not have access
- Review API access logs for suspicious requests targeting /api/v4/projects/*/dast_* endpoints
- Deploy SentinelOne Singularity to detect and alert on anomalous application behavior patterns
Monitoring Recommendations
- Enable comprehensive audit logging in GitLab Enterprise Edition
- Configure SIEM integration to correlate GitLab audit events with network traffic analysis
- Establish baseline behavior for DAST scan usage and alert on deviations
- Monitor for credential exposure in logs or application outputs following potential variable leakage
How to Mitigate CVE-2024-2743
Immediate Actions Required
- Upgrade GitLab Enterprise Edition to patched versions: 17.1.7, 17.2.5, or 17.3.2 immediately
- Audit DAST scan configurations for unauthorized modifications
- Rotate any secrets or credentials configured as DAST scan variables
- Review audit logs for signs of exploitation prior to patching
Patch Information
GitLab has released security patches addressing this vulnerability. Organizations should update to the following versions based on their current release branch:
- 17.1.x branch: Update to 17.1.7 or later
- 17.2.x branch: Update to 17.2.5 or later
- 17.3.x branch: Update to 17.3.2 or later
For complete patch details, see the GitLab Patch Release Announcement.
Workarounds
- Restrict network access to the GitLab instance to trusted IP ranges until patching is complete
- Temporarily disable on-demand DAST scanning functionality if not business-critical
- Implement web application firewall rules to filter suspicious requests to DAST endpoints
- Remove or vault sensitive variables from DAST configurations until the patch is applied
# Check current GitLab version
gitlab-rake gitlab:env:info
# Update GitLab to patched version (Omnibus installation)
sudo apt-get update && sudo apt-get install gitlab-ee=17.3.2-ee.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
