CVE-2024-10043: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab Enterprise Edition (EE) affecting all versions starting from 14.3 before 17.4.6, all versions starting from 17.5 before 17.5.4, and all versions starting from 17.6 before 17.6.2. The vulnerability allows group users to view confidential incident titles through the Wiki History Diff feature, potentially leading to information disclosure (GitLab Release, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 3.1 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N. The issue is classified under CWE-863 (Incorrect Authorization). The vulnerability specifically manifests in the Wiki History Diff feature where group users can access confidential incident titles that should be restricted (NVD).

The vulnerability results in information disclosure where unauthorized group users can view confidential incident titles that they should not have access to. This breach of confidentiality could expose sensitive information contained in incident titles to users with lower privilege levels (GitLab Release).

GitLab has released patches to address this vulnerability in versions 17.4.6, 17.5.4, and 17.6.2. Users are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by security researcher mateuszek. GitLab has classified this as a low severity issue and included it in their December 2024 security release (GitLab Release).