CVE-2024-7057 Overview
An information disclosure vulnerability has been identified in GitLab CE/EE that allows job artifacts to be inappropriately exposed to users who lack the proper authorization level. This vulnerability affects all versions starting from 16.7 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1.
Critical Impact
Unauthorized users can access sensitive job artifacts in GitLab CI/CD pipelines, potentially exposing confidential build outputs, credentials, or proprietary code stored in pipeline artifacts.
Affected Products
- GitLab Community Edition (CE) versions 16.7 to 17.0.4
- GitLab Enterprise Edition (EE) versions 16.7 to 17.0.4
- GitLab CE/EE versions 17.1 to 17.1.2
- GitLab CE/EE versions 17.2 prior to 17.2.1
Discovery Timeline
- 2024-07-25 - CVE CVE-2024-7057 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-7057
Vulnerability Analysis
This vulnerability is classified under CWE-284 (Improper Access Control), indicating a flaw in GitLab's authorization mechanism for job artifacts. The vulnerability allows authenticated users with low-privilege access to retrieve job artifacts that should be restricted to users with higher authorization levels.
Job artifacts in GitLab CI/CD pipelines often contain sensitive information including compiled binaries, test reports, environment configurations, and in some cases, credentials or secrets that are inadvertently included in build outputs. The improper access control mechanism fails to properly validate whether the requesting user has sufficient permissions to access specific artifacts, leading to unauthorized information disclosure.
The network-based attack vector requires only low-privilege authentication and no user interaction, making exploitation straightforward for any authenticated user within a GitLab instance.
Root Cause
The root cause of this vulnerability lies in GitLab's insufficient authorization checks when users request access to job artifacts. The access control logic fails to properly validate the user's role and permissions against the artifact's visibility and project access requirements. This allows users who should only have read access to public portions of a project to access restricted CI/CD artifacts that may contain sensitive information.
Attack Vector
The attack can be executed by any authenticated user with low-level access to a GitLab instance. An attacker would:
- Authenticate to the GitLab instance with any valid user credentials
- Identify target projects with CI/CD pipelines that generate artifacts
- Craft requests to access job artifacts from pipelines they should not have access to
- Retrieve sensitive data contained within the exposed artifacts
The vulnerability is exploited via network requests to the GitLab web interface or API. Due to the low complexity and low privilege requirements, this attack is accessible to any user with basic GitLab access.
For detailed technical information, refer to the GitLab Issue Tracking and the HackerOne Security Report.
Detection Methods for CVE-2024-7057
Indicators of Compromise
- Unusual access patterns to job artifacts by users who do not typically access CI/CD resources
- API requests for artifact downloads from users with insufficient project permissions
- Increased artifact download activity from low-privilege or external user accounts
- Access logs showing artifact retrieval for restricted or private projects by unauthorized users
Detection Strategies
- Monitor GitLab access logs for artifact download requests and correlate with user permission levels
- Implement alerts for artifact access from users who are not members of the associated project
- Review audit logs for suspicious patterns of artifact enumeration across multiple projects
- Deploy SIEM rules to detect abnormal CI/CD artifact access behavior
Monitoring Recommendations
- Enable detailed GitLab audit logging for artifact access events
- Configure alerts for artifact downloads by guest or external users
- Regularly review CI/CD artifact access patterns for anomalies
- Monitor for bulk artifact download attempts that may indicate data exfiltration
How to Mitigate CVE-2024-7057
Immediate Actions Required
- Upgrade GitLab CE/EE to version 17.0.5, 17.1.3, or 17.2.1 or later immediately
- Audit recent artifact access logs to identify potential unauthorized access
- Review artifact contents for sensitive data exposure and rotate any compromised credentials
- Consider temporarily restricting artifact access until patching is complete
Patch Information
GitLab has released patched versions that address this vulnerability. Organizations should upgrade to one of the following fixed versions:
- GitLab 17.0.5 for installations on the 17.0.x branch
- GitLab 17.1.3 for installations on the 17.1.x branch
- GitLab 17.2.1 for installations on the 17.2.x branch
For upgrade instructions and release notes, refer to the official GitLab documentation and the GitLab Issue Tracking.
Workarounds
- Restrict artifact access at the project level by adjusting CI/CD settings to limit artifact visibility
- Remove or minimize sensitive data stored in job artifacts where possible
- Implement additional network-level access controls to limit who can reach the GitLab instance
- Review and tighten project membership and access levels across the GitLab instance
# Configuration example
# Review and restrict artifact visibility in .gitlab-ci.yml
# Set artifacts to expire quickly and limit access
artifacts:
expire_in: 1 hour
access: developer # Restrict artifact access to developer role or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
