CVE-2024-5435 — Generation of Error Message Containing Sensitive Information in GitLab

Description

An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 15.10 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2 will disclose user password from repository mirror configuration.

How to fix CVE-2024-5435

To remediate CVE-2024-5435, upgrade the affected package to a fixed version below.

—upgrade to 17.1.7 or later

Is CVE-2024-5435 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 15.10.0, < 17.1.7, >= 17.2.0, < 17.2.5, >= 17.3.0, < 17.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (4)

WEBabout.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/
WEBgitlab.com/gitlab-org/gitlab/-/issues/464044
WEBhackerone.com/reports/2520722
WEBnvd.nist.gov/vuln/detail/CVE-2024-5435