17.2.9
17.3.5
17.4.2
CVE-2024-8977 is a Server-Side Request Forgery (SSRF) vulnerability identified in GitLab EE. This flaw allows an attacker to potentially access internal resources or services within the GitLab instance. The vulnerability impacts versions 15.10 through 17.4.2, specifically instances where the Product Analytics Dashboard is configured and enabled. A fix is available in version 17.4.2.
An attacker exploiting CVE-2024-8977 can leverage the Product Analytics Dashboard to initiate SSRF requests. This allows them to bypass security controls and potentially access internal services that are not directly exposed to the internet. Successful exploitation could lead to data exfiltration, unauthorized access to sensitive information, or even the ability to interact with internal systems. The blast radius is limited to the internal network accessible from the GitLab instance, but the potential impact can be significant depending on the services exposed internally. This vulnerability shares similarities with other SSRF exploits where attackers use a trusted application to make requests to unintended destinations.
CVE-2024-8977 was publicly disclosed on 2024-10-10. The vulnerability is not currently listed on the CISA KEV catalog. No public proof-of-concept exploits have been widely reported, but the SSRF nature of the vulnerability makes it likely that exploits will emerge. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.06% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-8977 is to upgrade GitLab EE to version 17.4.2 or later. If an immediate upgrade is not possible, consider disabling the Product Analytics Dashboard to reduce the attack surface. Network segmentation can also limit the potential impact by restricting access from the GitLab instance to sensitive internal resources. Web Application Firewalls (WAFs) configured to detect and block SSRF attempts can provide an additional layer of defense. After upgrading, verify the fix by attempting to access an internal resource through the Product Analytics Dashboard and confirming that the request is denied.
Update GitLab to version 17.2.9, 17.3.5, or 17.4.2, or a later version. This will resolve the SSRF vulnerability in the Product Analytics Dashboard configuration. See the GitLab release notes for detailed upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-8977 is a Server-Side Request Forgery vulnerability in GitLab EE affecting versions 15.10–17.4.2. It allows attackers to potentially access internal resources via the Product Analytics Dashboard.
You are affected if you are running GitLab EE versions 15.10 through 17.4.2 and have the Product Analytics Dashboard enabled.
Upgrade GitLab EE to version 17.4.2 or later. As a temporary workaround, disable the Product Analytics Dashboard.
While no widespread exploitation has been confirmed, the SSRF nature of the vulnerability suggests potential for exploitation. Monitor security advisories.
Refer to the official GitLab security advisory: [https://gitlab.com/security/advisories/CVE-2024-8977](https://gitlab.com/security/advisories/CVE-2024-8977)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.