Subdomain Takeover Vulnerability in GitLab Pages
Published Wed, Oct 9th, 2024
Platforms
Summary
A vulnerability in GitLab Pages allowed attackers to take over dangling custom domains pointing to 'instanceX.gitlab.io'. The issue occured when adding an unverified custom domain to GitLab Pages, which serves content for 7 days before disabling. This could lead to cookie stealing, phishing campaigns, and bypassing of Content-Security Policies and CORS.
Affected Services
GitLab Pages
Remediation
Disable the "Force HTTPS" option in GitLab Pages settings for the affected project. Verify and properly configure custom domains before adding them to GitLab Pages.
Tracked CVEs
CVE-2024-5528
References
Contributed by https://github.com/sshayb
Entry Status
Finalized
Disclosure Date
Tue, May 28th, 2024
Exploitability Period
-
Known ITW Exploitation
-
Detection Methods
Monitor for unexpected changes in DNS records pointing to GitLab Pages. Regularly audit custom domain configurations in GitLab Pages settings. Check for unauthorized content served on custom domains associated with GitLab Pages.
Piercing Index Rating
-
Discovered by
Philippe Delteil
