Security updates released on Wednesday for GitLab Community Edition (CE) and Enterprise Edition (EE) resolve a critical-severity vulnerability leading to authentication bypass.
The issue, tracked as CVE-2024-45409 (CVSS score of 10/10), only affects GitLab CE/EE instances that have been configured to use SAML-based authentication.
An XML-based markup language for security assertions, SAML uses the Ruby SAML library in the OmniAuth SAML gem to implement the client side of the SAML authorization, and the library is vulnerable to signature wrapping.
“Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML response. An unauthenticated attacker with access to any signed SAML document (by the IdP) can thus forge a SAML response/assertion with arbitrary contents. This would allow the attacker to log in as an arbitrary user within the vulnerable system,” the library’s maintainers explain.
The vulnerability does not affect Ruby SAML version 1.12.3 and was addressed in version 1.17.0 of the library, which was included in OmniAuth SAML version 2.2.1.
To prevent the exploitation of CVE-2024-45409, users should enable GitLab two-factor authentication (2FA) for all user accounts on their self-managed instances (identity provider multi-factor authentication does not mitigate the flaw) and not allow the SAML two-factor bypass option on the code collaboration platform, GitLab notes in its advisory.
The platform has also provided indicators of compromise (IoCs) to help users hunt for potential exploitation attempts targeting this vulnerability.
GitLab CE/EE versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10 update both dependencies to address the authentication bypass. Users are advised to update their GitLab CE/EE installations as soon as possible. Dedicated GitLab instances have been automatically upgraded.
Related: GitLab Security Update Patches Critical Vulnerability
Related: Critical Authentication Flaw Haunts GitHub Enterprise Server
Related: Potential RCE Flaw Patched in PyPI’s GitHub Repository
Related: GitLab Acquires Security Companies Peach Tech and Fuzzit