CVE-2024-3958: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. The vulnerability allows attackers to exploit a discrepancy between the Web application display and the git command line interface, enabling social engineering attacks that trick victims into cloning non-trusted code (GitLab Release, NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N according to NVD's assessment. GitLab has assigned it a slightly lower CVSS score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The vulnerability is categorized under CWE-94 (Improper Control of Generation of Code) (NVD).

The vulnerability could allow attackers to conduct social engineering attacks by exploiting the inconsistency between how code is displayed in the web interface versus the git command line interface, potentially leading to users unknowingly cloning and executing untrusted code (GitLab Release).

GitLab has released patches in versions 17.0.6, 17.1.4, and 17.2.2 to address this vulnerability. Users are strongly recommended to upgrade to these or later versions immediately. GitLab.com has already been updated with the patched version (GitLab Release).

The vulnerability was reported through GitLab's HackerOne bug bounty program by security researcher st4nly0n, demonstrating the effectiveness of GitLab's security response program (GitLab Release).