CVE-2024-10240 — Exposure of Sensitive System Information to an Unauthorized Control Sphere in Gi

Description

An issue has been discovered in GitLab EE affecting all versions starting from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2 in which an unauthenticated user may be able to read some information about an MR in a private project, under certain circumstances.

How to fix CVE-2024-10240

To remediate CVE-2024-10240, upgrade the affected package to a fixed version below.

—upgrade to 17.3.7 or later

Is CVE-2024-10240 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 17.3.0, < 17.3.7, >= 17.4.0, < 17.4.4, >= 17.5.0, < 17.5.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (3)

WEBabout.gitlab.com/releases/2024/11/13/patch-release-gitlab-17-5-2-released/#information-disclosure-through-an-api-endpoint
WEBgitlab.com/gitlab-org/gitlab/-/issues/493188
WEBnvd.nist.gov/vuln/detail/CVE-2024-10240