CVE-2024-12244: 
GitLab vulnerability analysis and mitigation

CVE-2024-12244 is an access control vulnerability discovered in GitLab Enterprise Edition (EE) that affects versions from 17.7 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1. The vulnerability allows unauthorized users to view certain restricted project information even when related features are disabled (NVD, GitLab Release).

The vulnerability is classified as CWE-862 (Missing Authorization) and has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and no user interaction, resulting in low confidentiality impact with no impact on integrity or availability (NVD).

The vulnerability allows unauthorized access to view restricted project information, specifically branch names, when repository assets are disabled in the project. This represents a confidentiality breach in GitLab's access control mechanisms (GitLab Release).

GitLab has released patches to address this vulnerability in versions 17.9.7, 17.10.5, and 17.11.1. Organizations running affected versions are strongly recommended to upgrade to the latest patched version immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by researcher 'mateuszek'. GitLab has acknowledged and addressed the issue in their scheduled patch release (GitLab Release).