CVE-2024-10240: 
GitLab vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2024-10240) was discovered in GitLab Enterprise Edition affecting versions 17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability allows an unauthenticated user to read information about merge requests (MR) in private projects under certain circumstances. This vulnerability was discovered internally by GitLab team member Patrick Bajao (GitLab Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The issue is related to the merge request dependencies API endpoints where details of blocking merge requests from private projects could be exposed through list and get operations (GitLab Issue).

The vulnerability allows unauthorized users to access information about merge requests in private projects, potentially exposing sensitive project data. The impact is limited to information disclosure with no ability to modify or delete data (GitLab Advisory).

The vulnerability has been fixed in GitLab versions 17.3.7, 17.4.4, and 17.5.2. Users are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Advisory).