If you run a self-managed GitLab installation with configured SAML-based authentication and you haven’t upgraded it since mid-September, do it now, because security researchers have published an analysis of CVE-2024-45409 and an exploit script that may help attackers gain access as any user on GitLab.
About CVE-2024-45409
GitLab is a popular software development platform that can be deployed by users on on-premises servers, Kubernetes, or with a cloud provider.
CVE-2024-45409 is a critical authentication bypass vulnerability in the Ruby-SAML and OmniAuth-SAML libraries, which are used in multiple GitLab Community Edition (CE) and Enterprise Edition (EE) versions.
It affects OmniAuth-SAML versions prior to 2.2.1 and Ruby-SAML versions prior to 1.17.0, and has been fixed in GitLab CE and EE versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10.
The fix has also been backported to older GitLab versions: 16.10.10, 16.9.11, 16.8.10, 16.7.10, 16.6.10, 16.5.10, 16.4.7, 16.3.9, 16.2.11, 16.1.8, 16.0.10.
At the time, GitLab Inc. strongly urged admins of self-managed GitLab installations to updgrade to one of the versions with a fix, and shared possible mitigations, instructed customers on how to check for exploitation attempts, and shared threat detection rules.
Technical analysis and PoC code
“[Security Assertion Markup Language, or SAML] is a widely used protocol for exchanging authentication and authorization data between identity providers (IdPs) and service providers (SPs). A crucial part of ensuring the security of this exchange is verifying the integrity and authenticity of the data through digital signatures and digest verification,” Project Discovery researchers explained.
CVE-2024-45409 allows attackers to bypass the signature validation step, but they must first obtain the SAML Response issued by the identity provider to the targeted user.
They can then modify it with the help of an exploit script developed by Synacktiv researchers.
“If authentication is successful, you will be redirected to the GitLab homepage,” Synacktiv researchers concluded.