17.1.7
17.2.5
17.3.2
CVE-2024-8635 describes a server-side request forgery (SSRF) vulnerability discovered in GitLab Enterprise Edition (EE). This flaw allows attackers to potentially access internal resources within the GitLab environment by manipulating the Maven Dependency Proxy URL. The vulnerability impacts versions 16.8 through 17.3.2, excluding 17.1.7, 17.2.5, and 17.3.2. A fix has been released in version 17.3.2.
The SSRF vulnerability in GitLab EE enables an attacker to craft malicious requests that appear to originate from the GitLab server itself. By exploiting the custom Maven Dependency Proxy URL, an attacker could potentially bypass security controls and access sensitive internal resources that are not directly exposed to the internet. This could include accessing internal APIs, databases, or other services. The potential impact ranges from information disclosure to potentially gaining control over internal systems, depending on the resources accessible through the SSRF vulnerability. Successful exploitation could lead to data breaches, privilege escalation, and disruption of GitLab services.
CVE-2024-8635 was publicly disclosed on September 12, 2024. The vulnerability's impact is considered medium probability due to the requirement of manipulating the Maven Dependency Proxy URL, which may not be enabled in all GitLab EE deployments. No public proof-of-concept (PoC) code has been released as of this writing, but the SSRF nature of the vulnerability makes it likely that a PoC will emerge. It is not currently listed on the CISA KEV catalog.
Organizations utilizing GitLab Enterprise Edition (EE) with the Maven Dependency Proxy feature enabled are at risk. This includes development teams relying on custom Maven repositories hosted internally and those using GitLab as a central artifact repository. Legacy GitLab EE installations running versions prior to 17.3.2 are particularly vulnerable.
• gitlab: Examine GitLab logs for outbound requests originating from the Maven Dependency Proxy endpoint that target internal resources.
journalctl -u gitlab-sshd | grep 'Maven Dependency Proxy'• gitlab: Check the configuration of the Maven Dependency Proxy to ensure it is not overly permissive.
/opt/gitlab/embedded/service/gitlab-rails/config/gitlab.yml | grep 'maven_dependency_proxy'• generic web: Monitor access logs for requests to the Maven Dependency Proxy endpoint with unusual or unexpected parameters.
grep 'maven_dependency_proxy' /var/log/nginx/access.logdisclosure
漏洞利用状态
EPSS
0.07% (22% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-8635 is to upgrade GitLab EE to version 17.3.2 or later. Prior to upgrading, it is recommended to review and test any custom Maven Dependency Proxy configurations to ensure they are not inadvertently exposing sensitive resources. Consider implementing a Web Application Firewall (WAF) with SSRF protection rules to block malicious requests. Monitor GitLab logs for suspicious outbound requests originating from the Maven Dependency Proxy endpoint. After upgrading, confirm the fix by attempting to access an internal resource via the Maven Dependency Proxy URL; the request should be denied.
将 GitLab 更新到 17.1.7、17.2.5 或 17.3.2 版本,或更高版本。这将修复允许攻击者使用自定义 Maven 依赖项代理 URL 向内部资源发起请求的 SSRF 漏洞。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-8635 is a server-side request forgery vulnerability in GitLab EE allowing attackers to access internal resources via the Maven Dependency Proxy URL.
You are affected if you are running GitLab EE versions 16.8–17.3.2, excluding 17.1.7, 17.2.5, and 17.3.2, and have the Maven Dependency Proxy feature enabled.
Upgrade GitLab EE to version 17.3.2 or later. Review and test Maven Dependency Proxy configurations and consider WAF rules.
No active exploitation has been confirmed as of September 12, 2024, but the SSRF nature of the vulnerability suggests potential for future exploitation.
Refer to the official GitLab security advisory at https://gitlab.com/security/advisories/CVE-2024-8635.