CVE-2024-8754: 
GitLab vulnerability analysis and mitigation

An improper input validation vulnerability (CVE-2024-8754) was discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. The vulnerability allows attackers to squat on accounts by linking arbitrary unclaimed provider identities when JWT authentication is configured (NVD).

The vulnerability stems from an improper input validation error in the IdentitiesController component. The issue received a CVSS v3.1 base score of 8.1 (HIGH) from NIST NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, while GitLab Inc. assessed it with a score of 6.4 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N. The vulnerability is classified under CWE-642 (External Control of Critical State Data) (NVD).

The vulnerability enables attackers to pre-occupy externuids for arbitrary providers. An attacker could create a dedicated account and bind a target externuid (e.g., with the googleoauth2 provider) to that account. When the legitimate owner of the externuid attempts to sign up, they would be directed to the pre-occupied account, potentially without realizing it's not a newly created account, while the attacker maintains access (GitLab Issue).

Users should upgrade to GitLab version 17.1.7, 17.2.5, or 17.3.2 or later, depending on their current version track. The vulnerability has been fixed in these releases (NVD).