Critical authentication bug in GitLab patched in Community and Enterprise editions
DevOps platform GitLab has patched a critical flaw in its Community Edition (CE) and Enterprise Edition (EE) solutions that could allow malicious users to access confidential information.
The flaw, described as a “SAML authentication bypass,” is being tracked as CVE-2024-45409and has a perfect severity score of 10/10. Short Assertion Markup Language (SAML) is a web-based authentication protocol that, among other things, facilitates the single sign-on (SSO) function.
It was discovered that the ryb-saml library was not properly verifying the signature of the SAML response, allowing attackers to log in.
No evidence of abuse
“An unauthenticated attacker with access to any SAML document signed (by the IdP) can thus forge a SAML response/assertion with arbitrary content,” GitHub explained in a security advisory. “This could allow the attacker to log in as an arbitrary user within the vulnerable system.”
People concerned about a breach should ensure their Community Edition and Enterprise Edition solutions are upgraded to versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10. People who are unable to apply the patch now should enable two-factor authentication (2FA) for all accounts and disable the SAML two-factor bypass option.
While GitHub hasn’t explicitly stated whether or not the vulnerability has been exploited in the wild, the wording in the security advisory is somewhat telling. In the document, the maintainers shared details about spotting both successful and failed exploitation attempts, suggesting that the bad guys may already be trying their luck.
GitLab is a web-based DevOps platform that provides tools for version control, continuous integration/continuous delivery (CI/CD), and software development lifecycle management. It helps teams collaborate on code, automate testing, and streamline deployment processes, and has tens of millions of active users. As such, it is a high-profile target for cybercriminals of all kinds.
Via The Hacker News