CVE-2024-12093
Improper Validation of Consistency within Input in GitLab
In short
GitLab's SAML login system doesn't properly validate XML structure in certain conditions, which could let an attacker bypass two-factor authentication by tampering with the login response.
Technical detail
An improper XPath validation in GitLab's SAML authentication flow permits an unauthenticated attacker to craft a malicious SAML response that circumvents 2FA enforcement under specific configurations. The vulnerability stems from insufficient consistency checks on XML input during SAML assertion processing, allowing modification of authentication claims without triggering validation failure.
Summary generated and translated by AI from the official description.
An issue has been discovered in GitLab CE/EE affecting all versions from 11.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Improper XPath validation allows modified SAML response to bypass 2FA requirement under specialized conditions.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Affected products
GitLab · GitLabWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →