GitLab CE/EE SAML Misconfiguration Vulnerability Allows Unauthorized Access to Internal Projects

A vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) for Self-Managed and Dedicated instances, affecting all versions from 17.5 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2. The issue arises from a misconfiguration in SAML authentication, which can lead to users designated as External being able to read and clone internal projects under certain conditions. This vulnerability is linked to the handling of the 'external' user attribute during SAML login, where null values are introduced, potentially overriding manual designations of external status.

Impact

Exploitation of this vulnerability could allow unauthorized users to access and clone internal projects, leading to a breach of project confidentiality.

Reproduction

To reproduce this vulnerability, log in to a GitLab instance with SAML authentication enabled, but without external groups defined. After logging in, the 'external' attribute for the user will be set to null, allowing access to internal projects. This issue can be observed through the User API, which will incorrectly report the external status.

Remediation

Users should upgrade to GitLab versions 17.8.2, 17.7.4, or 17.6.5, and re-designate any external users after the upgrade.