CVE-2024-4660: GitLab Information Disclosure Vulnerability

CVE-2024-4660 Overview

CVE-2024-4660 is a broken access control vulnerability in GitLab Enterprise Edition (EE). The flaw allows a user with guest role permissions to read the source code of a private project by abusing group templates. The issue affects GitLab EE versions starting from 11.2 through 17.1.7, 17.2 through 17.2.5, and 17.3 through 17.3.2. The vulnerability is classified under [CWE-862] Missing Authorization. GitLab released fixes in versions 17.1.7, 17.2.5, and 17.3.2 on September 11, 2024.

Critical Impact

Guest users can read source code from private GitLab projects through group templates, exposing intellectual property and potentially embedded secrets.

Affected Products

• GitLab Enterprise Edition versions 11.2 through 17.1.7
• GitLab Enterprise Edition versions 17.2 through 17.2.5
• GitLab Enterprise Edition versions 17.3 through 17.3.2

Discovery Timeline

• 2024-09-11 - GitLab releases patch versions 17.1.7, 17.2.5, and 17.3.2
• 2024-09-12 - CVE-2024-4660 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-4660

Vulnerability Analysis

The vulnerability stems from missing authorization checks in the group templates feature of GitLab EE. Group templates allow projects within a group to inherit configurations and code from a designated template project. When a guest user references a private project through this template mechanism, GitLab does not properly verify the requesting user's permission to access the underlying source code. As a result, the template path becomes a confused deputy that exposes private repository contents to users who lack direct read access.

The authorization gap impacts confidentiality only. Attackers cannot modify project data, alter pipelines, or disrupt service availability through this flaw. However, exposure of proprietary source code can lead to follow-on risks, including disclosure of hardcoded credentials, API keys, or business logic that attackers can weaponize in subsequent attacks.

Root Cause

The defect is a Missing Authorization issue [CWE-862]. The code path serving group template content does not enforce the project-level read permission against the requesting principal. The check that should validate whether a guest can read a private project's source is either absent or applied inconsistently within the template handler.

Attack Vector

An authenticated attacker with guest membership in a group containing a configured template referencing a private project sends a crafted request through the template feature. The server returns source code from the private project without performing the required permission check. Exploitation requires authentication but does not require user interaction or elevated privileges beyond guest access. See the HackerOne Report #2480126 and the GitLab Issue Discussion for additional context.

Detection Methods for CVE-2024-4660

Indicators of Compromise

• Unusual access patterns from guest accounts to group template endpoints associated with private projects.
• Audit log entries showing template-related API calls originating from users without direct project membership.
• Repository read events for private projects with no corresponding member or role assignment for the requesting user.

Detection Strategies

• Review GitLab audit events for project source access by users whose access level is guest or who lack explicit project membership.
• Correlate template configuration changes with subsequent source code retrieval requests from low-privilege accounts.
• Compare project visibility settings against the membership of users accessing template-linked resources.

Monitoring Recommendations

• Enable and centralize GitLab audit logs covering project, group, and template events.
• Alert on anomalous spikes in template-derived file fetches and on access by accounts created shortly before template use.
• Monitor outbound traffic from CI runners and developer endpoints for bulk repository cloning that follows guest activity.

How to Mitigate CVE-2024-4660

Immediate Actions Required

• Upgrade GitLab EE to version 17.3.2, 17.2.5, or 17.1.7 or later, depending on your release branch.
• Audit group template configurations and remove templates that reference private projects unnecessarily.
• Review guest membership across groups and revoke access where it is not required for business operations.

Patch Information

GitLab released the fix on September 11, 2024. Detailed release notes are available in the GitLab Release Patch Announcement. Self-managed GitLab EE administrators should plan upgrades following GitLab's standard upgrade path. GitLab.com customers received the patch automatically.

Workarounds

• Remove or unset group-level template configurations that point to private projects until the upgrade is applied.
• Restrict the guest role assignments within groups that host sensitive templates.
• Rotate any credentials or secrets that may have been exposed in private project source code accessed during the vulnerable window.

# Check current GitLab version on self-managed instance
sudo gitlab-rake gitlab:env:info | grep "GitLab information" -A 10

# Upgrade GitLab EE (Omnibus example for Debian/Ubuntu)
sudo apt-get update
sudo apt-get install gitlab-ee=17.3.2-ee.0

# Verify upgrade completion
sudo gitlab-ctl reconfigure
sudo gitlab-rake gitlab:env:info | grep "GitLab"