CVE-2024-3115: 
GitLab vulnerability analysis and mitigation

An issue was discovered in GitLab Enterprise Edition (EE) affecting all versions starting from 16.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to access issues and epics without having an SSO session using Duo Chat (GitLab Release, NVD).

The vulnerability is classified as a medium severity issue with a CVSS v3.1 base score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). The issue is related to missing authorization (CWE-862) where Duo Chat functionality bypasses SSO enforcement, allowing unauthorized access to issues and epics in SSO-enforced groups (NVD).

The vulnerability allows users to bypass SSO enforcement using Duo Chat, potentially leaking issues and epics to users who are not correctly authorized. While these users need to be group members, they can access content without having an active SSO session that would normally be required (GitLab Issue).

The vulnerability has been patched in GitLab versions 16.11.5, 17.0.3, and 17.1.1. Organizations running affected versions should upgrade to the patched versions immediately. GitLab.com is already running the patched version (GitLab Release).