CVE-2024-2880 in Community Edition
Summary
by MITRE • 07/11/2024
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 in which a user with `admin_group_member` custom role permission could ban group members.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/13/2024
This vulnerability exists within GitLab Community Edition and Enterprise Edition platforms where a specific privilege escalation flaw allows users with the custom role permission of `admin_group_member` to perform group banning actions. The issue affects multiple version streams including 16.5 through 16.11.5, 17.0 through 17.0.3, and 17.1 through 17.1.1, creating a widespread impact across the GitLab product line. The vulnerability represents a clear violation of the principle of least privilege as users with what should be administrative group membership permissions are able to execute actions beyond their designated scope.
The technical flaw stems from improper access control validation within GitLab's permission system where the `admin_group_member` role lacks proper boundary enforcement for group-level administrative actions. This misconfiguration allows the role to bypass normal authorization checks that should prevent non-privileged users from executing ban operations. The vulnerability manifests when the system fails to properly verify whether a user with the `admin_group_member` role has the necessary elevated permissions to perform group banning, effectively creating an access control bypass scenario.
The operational impact of this vulnerability is significant as it enables malicious or compromised users with the specific custom role to remove legitimate group members from projects, potentially disrupting collaboration workflows and access to critical development resources. This capability could be exploited to silence dissenting voices within development teams, remove contributors from security-sensitive projects, or create denial-of-service conditions by banning key personnel. The vulnerability particularly affects organizations that rely on granular access controls and custom role definitions for their GitLab implementations.
Organizations should immediately upgrade to the patched versions 16.11.6, 17.0.4, and 17.1.2 to remediate this vulnerability. Administrators should also conduct immediate audits of custom role assignments to ensure no users possess the `admin_group_member` role when such elevated permissions are not required. The vulnerability aligns with CWE-285 which addresses improper authorization in software systems, and could potentially map to ATT&CK technique T1078.004 related to valid accounts for privilege escalation. Security teams should implement monitoring for unauthorized group banning activities and review access control policies to prevent similar issues in other custom role configurations.