CVE-2024-4024: Authentication Bypass by Assumed-Immutable Data in GitLab
An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.8 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker with their Bitbucket account credentials may be able to take over a GitLab account linked to another user's Bitbucket account, if Bitbucket is used as an OAuth 2.0 provider on GitLab.
Security readout for executives and security teams
Plain-English summary
GitLab could let a person with their own Bitbucket credentials take over someone else's GitLab account, but only when Bitbucket OAuth is used and the victim account is linked to Bitbucket. The business risk is account compromise with access to repositories, issues, secrets, and CI/CD functions available to that GitLab user.
Executive priority
Treat this as high priority where GitLab uses Bitbucket OAuth because compromise can lead to source code and CI/CD access. Patch affected instances promptly, then review linked-account and login activity. Lower urgency is reasonable only when Bitbucket OAuth is not enabled.
Technical view
The issue is an authentication bypass by assumed-immutable data (CWE-302) in GitLab CE/EE. Affected ranges are 7.8 before 16.9.6, 16.10 before 16.10.4, and 16.11 before 16.11.1. The attack path requires Bitbucket as a GitLab OAuth 2.0 provider, Bitbucket credentials, and user interaction.
Likely exposure
Exposure is most likely in self-managed GitLab CE/EE instances that enabled Bitbucket OAuth 2.0 and have GitLab accounts linked to Bitbucket identities. Instances not using Bitbucket as an OAuth provider are not indicated as exposed by the supplied sources.
Exploitation context
The CVE is not listed as KEV in the bundle, and no cited source confirms active exploitation. Public details state account takeover may be possible under certain conditions, but the provided evidence does not define those conditions fully.
Researcher notes
The main uncertainty is the phrase “under certain conditions”; the supplied sources do not provide full triggering detail. The CVSS vector indicates network access, low attack complexity, low privileges, required user interaction, and high confidentiality and integrity impact, with no availability impact stated.
Mitigation direction
Upgrade GitLab to 16.9.6, 16.10.4, 16.11.1, or later as applicable.
Check GitLab vendor guidance and the linked issue for any additional advisories.
Review whether Bitbucket OAuth 2.0 is enabled and still required.
Temporarily disable Bitbucket OAuth if business impact is acceptable until patched.
Notify GitLab administrators to prioritize account-integrity review after patching.
Validation and detection
Inventory GitLab CE/EE versions and compare them to the affected ranges.
Confirm whether Bitbucket is configured as an OAuth 2.0 provider.
Identify accounts linked to Bitbucket identities for targeted review.
Review authentication logs for unusual Bitbucket OAuth sign-ins or account-linking activity.
Verify the deployed GitLab version is at or above the fixed release.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-302: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
2ADP providers
2Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-302 · source CWE mapping
Authentication Bypass by Assumed-Immutable Data
Authentication Bypass by Assumed-Immutable Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.