CVE-2024-12380: 
GitLab vulnerability analysis and mitigation

A security vulnerability (CVE-2024-12380) was discovered in GitLab EE/CE affecting all versions starting from 11.5 before 17.7.7, all versions starting from 17.8 before 17.8.5, and all versions starting from 17.9 before 17.9.2. The vulnerability relates to sensitive authentication information exposure through repository mirroring settings. This issue was disclosed on March 13, 2025, and has been assigned a CVSS v3.1 base score of 4.4 (Medium) (NVD).

The vulnerability is classified as CWE-209 (Generation of Error Message Containing Sensitive Information). It has been assigned a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N, indicating that it requires network access, high attack complexity, and high privileges, but no user interaction. The vulnerability affects the repository mirroring settings functionality where certain user inputs could potentially expose sensitive authentication information (GitLab Release).

The vulnerability could lead to the disclosure of sensitive authentication information when repository mirroring fails. This could potentially expose credentials and other sensitive authentication details to unauthorized users (GitLab Release).

The vulnerability has been patched in GitLab versions 17.7.7, 17.8.5, and 17.9.2. GitLab.com is already running the patched version, and GitLab strongly recommends that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab Dedicated customers do not need to take action and will be notified once their instance has been patched (GitLab Release).

The vulnerability was reported through GitLab's HackerOne bug bounty program by security researcher sigitsetiawansss. Ubuntu has marked this vulnerability as 'Medium' priority, noting that GitLab isn't maintainable as a distro package and was removed from Ubuntu (Ubuntu Security).