GitLab has released security patches for a critical vulnerability that affects both GitLab Community Edition (CE) and Enterprise Edition (EE) that allows a threat actor to bypass authentication checks and gain access to sensitive GitLab projects, including source code repositories, without needing to supply valid credentials.
The flaw, identified as CVE-2024-45409, with a CVSS score of 10, stems from improper signature verification in certain versions of the Ruby-SAML library (<=12.2 and 1.13.0 through 1.16.0). This flaw allows an unauthenticated attacker to forge a SAML response, effectively granting them access to GitLab as any arbitrary user.
GitLab has responded by releasing security patches for all affected versions, which includes updates to both the omniauth-saml dependency (to version 2.2.1) and the ruby-saml library (to version 1.17.0).
For self-managed GitLab users, there are several key mitigation steps to prevent successful exploitation of this vulnerability by ,enable two-factor authentication and disable the SAML two-factor bypass option.
GitLab has provided guidelines for identifying exploitation attempts via application and authentication logs. Indicators of unsuccessful exploitation attempts include the occurrence of RubySaml::ValidationError in the logs, often due to incorrect callback URLs or certificate signing issues.
All GitLab installations affected by CVE-2024-45409 are urged to upgrade to the latest patched versions immediately (17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10).
