CVE-2024-2191 in Community Edition
Summary
by MITRE • 06/27/2024
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visible publicly despite being set as project members only.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/29/2024
This vulnerability resides in GitLab Community Edition and Enterprise Edition platforms, specifically impacting versions from 16.9 through 16.11.4, 17.0 through 17.0.2, and 17.1 through 17.1.0. The flaw represents a critical information disclosure issue where merge request titles are accessible to unauthorized users who should not have visibility into project metadata. This represents a direct violation of the principle of least privilege and access control mechanisms that should protect internal project information from public exposure. The vulnerability stems from improper access control implementation within GitLab's merge request handling system, where the application fails to properly enforce project member-only visibility settings for merge request titles.
The technical nature of this flaw can be categorized under CWE-284, which deals with improper access control, and more specifically aligns with CWE-668, which addresses exposure of resource to the wrong sphere. The vulnerability manifests when users with public project access attempt to view merge request titles that should be restricted to project members only. This exposure occurs at the application layer where the authorization checks are bypassed during the retrieval and display of merge request metadata. The flaw operates by allowing any authenticated or unauthenticated user to access merge request titles through API endpoints or web interfaces that should enforce membership-based access controls.
The operational impact of this vulnerability extends beyond simple information disclosure, as merge request titles often contain sensitive project information including feature names, bug fixes, security patches, and development milestones that could provide attackers with valuable reconnaissance data. This exposure enables adversaries to gather intelligence about ongoing development activities, identify potential vulnerabilities in the codebase, and understand project architecture and release cycles. The vulnerability creates an information leak that could facilitate more sophisticated attacks by providing attackers with knowledge about project internals, development timelines, and specific changes being implemented. From an attacker's perspective, this represents a low-effort, high-value reconnaissance opportunity that could lead to targeted attacks against specific project components or development practices.
Mitigation strategies should focus on immediate patching of affected GitLab versions to the latest releases that contain the fix for this access control bypass. Organizations should implement additional monitoring for unauthorized access patterns to merge request metadata and consider implementing network-level controls to restrict access to GitLab APIs. The vulnerability highlights the importance of proper input validation and access control enforcement within web applications, particularly when dealing with metadata that could reveal sensitive project information. Security teams should conduct comprehensive audits of access control mechanisms throughout their GitLab installations and ensure that all project-level visibility settings are properly enforced. This vulnerability also underscores the need for regular security assessments of collaboration platforms to identify and remediate access control issues that could expose internal project information to unauthorized parties. The fix typically involves strengthening the authorization checks in merge request handling code and ensuring that project membership verification occurs before displaying any metadata that should remain restricted to authorized users only.