CVE-2024-4597 in Enterprise Edition
Summary
by MITRE • 05/14/2024
An issue has been discovered in GitLab EE affecting all versions from 16.7 before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. An attacker could force a user with an active SAML session to approve an MR via CSRF.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/31/2025
This vulnerability exists in GitLab Enterprise Edition where attackers can exploit a cross-site request forgery flaw to manipulate users with active SAML sessions into approving merge requests without their knowledge or consent. The issue affects specific version ranges including 16.7 through 16.9.6, 16.10 through 16.10.4, and 16.11 through 16.11.1, representing a significant security gap in the authentication and authorization mechanisms of the platform. The vulnerability stems from insufficient validation of CSRF tokens when processing merge request approval actions, particularly when users are authenticated through SAML identity providers.
The technical flaw manifests when an authenticated user maintains an active SAML session within GitLab and is subsequently exposed to a malicious webpage or email containing crafted requests that leverage the user's existing session. This CSRF attack vector allows unauthorized merge request approvals to be executed against the victim's session, bypassing normal security controls that should require explicit user confirmation. The vulnerability specifically impacts the merge request approval workflow where the system fails to properly validate that requests originate from legitimate user interactions rather than automated or maliciously constructed requests.
The operational impact of this vulnerability extends beyond simple unauthorized merge request approvals, potentially enabling attackers to execute arbitrary code within the repository or introduce malicious changes to production code. When combined with the SAML authentication mechanism, attackers can exploit the trust relationship between GitLab and the identity provider to manipulate users who are already authenticated and authorized to make code changes. This creates a dangerous scenario where attackers can effectively bypass the security controls that should prevent unauthorized modifications to code repositories, particularly in environments where SAML is used for enterprise authentication. The vulnerability represents a critical weakness in GitLab's session management and request validation processes, potentially allowing for supply chain attacks or unauthorized code deployments.
Organizations should immediately upgrade to the patched versions 16.9.7, 16.10.5, or 16.11.2 to remediate this vulnerability. Security teams should also implement additional monitoring for suspicious merge request activities and consider implementing additional CSRF protection measures beyond the default GitLab configurations. The vulnerability aligns with CWE-352, which describes cross-site request forgery weaknesses in web applications, and maps to ATT&CK technique T1566.002 for credential access through phishing attacks that could be leveraged to exploit this CSRF vulnerability. Organizations should also review their SAML integration settings and ensure proper session management practices are in place to prevent session hijacking attacks.