GitLab has rolled out patches to fix a critical vulnerability affecting its Community Edition (CE) and Enterprise Edition (EE), which could lead to an authentication bypass. This flaw, identified as CVE-2024-45409, carries a CVSS score of 10.0, indicating its severity.
The vulnerability stems from a flaw in the ruby-saml library, which is responsible for handling Security Assertion Markup Language (SAML) authentication. SAML is widely used for enabling single sign-on (SSO) and facilitates the secure exchange of authentication data across multiple apps and websites.
The issue arises because the library does not properly verify the signature of the SAML Response. This flaw allows an unauthenticated attacker to exploit any signed SAML document and forge a SAML Response or Assertion with arbitrary contents. According to a security advisory, this vulnerability could allow an attacker to log in as any user within a vulnerable system.
The vulnerability also impacts omniauth-saml, which has released an update (version 2.2.1) to address the issue by upgrading the ruby-saml library to version 1.17.0. GitLab’s patches cover the following versions: 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10.
GitLab recommends several mitigation measures for users managing self-hosted instances of the platform. These include enabling two-factor authentication (2FA) for all accounts and disabling the SAML two-factor bypass option to enhance security.
While GitLab has not confirmed any active exploitation of this vulnerability in the wild, it has provided signs of potential exploitation attempts. Successful attempts will trigger SAML-related log events, specifically logging the extern_id value set by the attacker. Unsuccessful attempts may result in a ValidationError from the RubySaml library due to the complexity of crafting a working exploit.
This patch comes amid growing concerns about security flaws, as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added several new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Among these is a critical bug in Apache HugeGraph-Server (CVE-2024-27348, CVSS score: 9.8), which has also shown evidence of active exploitation.
Federal Civilian Executive Branch (FCEB) agencies are advised to remediate these vulnerabilities by October 9, 2024, to defend their systems against possible threats.
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067