CVE-2024-8754 in Enterprise Edition
Summary
by MITRE • 09/12/2024
An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT authentication is configured.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/10/2025
The vulnerability identified as CVE-2024-8754 represents a critical security flaw in GitLab Enterprise Edition and Community Edition that has persisted across multiple version ranges. This issue stems from inadequate input validation mechanisms within the authentication system, specifically when JWT authentication is configured. The vulnerability allows malicious actors to exploit a weakness in the identity linking process, enabling them to claim control over existing user accounts through the manipulation of provider identities. The flaw affects versions from 16.9.7 up to but not including 17.1.7, 17.2 up to but not including 17.2.5, and 17.3 up to but not including 17.3.2, indicating a widespread impact across the GitLab product line.
The technical root cause of this vulnerability lies in the improper validation of input parameters during the authentication flow when JWT (JSON Web Token) authentication is enabled. When users attempt to link their accounts through external identity providers, the system fails to properly validate the legitimacy of the provider identity being linked. This validation gap creates an opportunity for attackers to submit forged or arbitrary provider identity information that can be accepted as legitimate. The vulnerability specifically targets the account linking mechanism, allowing unauthorized parties to associate their own credentials with existing accounts without proper authorization. This misconfiguration enables account takeover scenarios where attackers can assume the identity of legitimate users within the GitLab environment.
The operational impact of CVE-2024-8754 extends beyond simple account compromise, as it fundamentally undermines the integrity of GitLab's authentication system. Attackers exploiting this vulnerability can gain unauthorized access to repositories, code, and sensitive project data associated with the compromised accounts. The ability to squat on accounts provides persistent access that can be leveraged for extended periods without detection, making this a particularly dangerous vulnerability for organizations relying on GitLab for version control and collaboration. The impact is amplified in environments where JWT authentication is actively configured, as this creates a direct attack vector that bypasses normal authentication controls. Organizations may experience unauthorized code commits, data exfiltration, and potential lateral movement within their development environments.
This vulnerability aligns with CWE-20, which describes improper input validation as a fundamental security weakness, and maps to ATT&CK technique T1566.003 for social engineering via credential stuffing or account takeover. The flaw demonstrates how inadequate validation of external inputs can lead to severe authentication bypass scenarios. Organizations should immediately implement mitigations including upgrading to the patched versions 17.1.7, 17.2.5, or 17.3.2 respectively, depending on their current GitLab version. Additionally, administrators should review and audit existing account linkages, particularly those involving JWT authentication, to identify and remove any suspicious or unauthorized identity associations. The recommended approach includes implementing additional verification mechanisms for identity linking operations and monitoring for unusual account activity patterns that may indicate exploitation attempts.