low

Subdomain Takeover Vulnerability in GitLab Pages

Published Wed, Oct 9th, 2024

Platforms

Summary

A vulnerability in GitLab Pages allowed attackers to take over dangling custom domains pointing to 'instanceX.gitlab.io'. The issue occured when adding an unverified custom domain to GitLab Pages, which serves content for 7 days before disabling. This could lead to cookie stealing, phishing campaigns, and bypassing of Content-Security Policies and CORS.

Affected Services

GitLab Pages

Remediation

Disable the "Force HTTPS" option in GitLab Pages settings for the affected project. Verify and properly configure custom domains before adding them to GitLab Pages.

Tracked CVEs

CVE-2024-5528

References

https://gitlab.com/gitlab-org/gitlab/-/issues/464558

Contributed by https://github.com/sshayb

Entry Status

Finalized

Disclosure Date

Tue, May 28th, 2024

Exploitablity Period

Known ITW Exploitation

Detection Methods

Monitor for unexpected changes in DNS records pointing to GitLab Pages. Regularly audit custom domain configurations in GitLab Pages settings. Check for unauthorized content served on custom domains associated with GitLab Pages.

Piercing Index Rating

Discovered by

Philippe Delteil

More vulnerabilities...

medium

Document AI data exfiltration

The Document AI service unintentionally allows users to read any Cloud Storage object in the same project, in a way that isn't properly documented. The Document AI service agent is auto-assigned wi...

Kat Traxler, Vectra AI

Mon, Sep 16th, 2024

high

CloudImposer

Google Cloud Composer is a managed service for Apache Airflow. Tenable discovered that the Cloud Composer package was vulnerable to dependency confusion, which could have allowed attackers to injec...

Liv Matan, Tenable

Mon, Sep 16th, 2024

Copilot Studio information disclosure via SSRF

Tenable

Tue, Aug 20th, 2024

View all