CVE-2024-4278: 
GitLab vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2024-4278) was discovered in GitLab Enterprise Edition affecting versions from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. The vulnerability was disclosed on September 25, 2024, and allows maintainers to obtain a Dependency Proxy password through manipulation of certain Dependency Proxy settings (GitLab Release, NVD).

The vulnerability involves an information disclosure issue where a maintainer could obtain a Dependency Proxy password by editing specific Dependency Proxy settings via a POST request. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N. The issue is related to incorrect synchronization (CWE-821) according to GitLab's assessment (NVD, GitLab Release).

The vulnerability allows maintainers to access Dependency Proxy authentication credentials that should be restricted after initial configuration. This could potentially lead to unauthorized access to dependency proxy resources and compromise of sensitive authentication information (GitLab Issue).

GitLab has addressed this vulnerability in versions 17.2.8, 17.3.4, and 17.4.1. Users are strongly recommended to upgrade to these patched versions immediately. GitLab.com has already been updated with the security fix, and GitLab Dedicated customers do not need to take any action (GitLab Release).