Organizations using self-hosted GitLab instances with SAML-based authentication should immediately update to the latest versions of the platform, as GitLab has released critical security patches.
The updates address CVE-2024-45409, a maximum severity bug in GitLab's Community (CE) and Enterprise (EE) editions. This vulnerability allows attackers to bypass authentication and log in as any user on affected systems. Once inside, attackers could steal, leak, or modify source code, inject malicious code into production, and steal secrets or sensitive data, among other harmful actions.
CVE-2024-45409: A Maximum Severity Threat
With a CVSS score of 10.0, CVE-2024-45409 is classified as extremely critical. The exploit is low-complexity, requires no special privileges, and doesn’t need user interaction, making it particularly dangerous. It affects both GitLab Dedicated, the cloud-hosted version, and self-managed GitLab instances. While GitLab Dedicated users are already protected, self-managed users must apply the patch immediately.
GitLab strongly recommends enabling two-factor authentication (2FA) on all user accounts for self-managed instances to reduce the risk of exploitation. However, they warn that enabling multifactor authentication at the identity provider level does not mitigate this vulnerability. Additionally, organizations should disable the SAML two-factor bypass option in GitLab and follow detailed detection guidance provided in the advisory.
Details on CVE-2024-45409
The vulnerability stems from improper signature verification in Ruby SAML, which GitLab uses for SAML-based authentication. Versions 12.2 and older, as well as 1.13.0 to 1.16.0 of Ruby SAML, are affected. The bug allows attackers to forge SAML responses and log in as arbitrary users, due to incorrect verification of cryptographic signatures in SAML responses.
To protect your GitLab instance, patch to the latest version immediately and follow the recommended security practices.