CVE-2024-4472: 
GitLab vulnerability analysis and mitigation

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs. The vulnerability was assigned CVE-2024-4472 and was reported through GitLab's HackerOne bug bounty program (GitLab Release).

The vulnerability is classified as CWE-532 (Insertion of Sensitive Information into Log File). The issue has a CVSS v3.1 base score of 5.5 MEDIUM (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) according to NVD, while GitLab Inc. assessed it as 4.0 MEDIUM (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). The vulnerability specifically involves the exposure of plaintext Dependency Proxy credentials in the graphql_json.log file (NVD).

For GitLab self-managed instances, the Dependency Proxy credentials entered by users could be exposed to anyone with access to the logs. In the case of gitlab.com, the plaintext credentials of both users and enterprises for the Dependency Proxy are stored in logs, which may be ingested into various log analysis and statistical platforms, potentially exposing them to GitLab employees of different roles (GitLab Issue).

The vulnerability has been patched in GitLab versions 17.1.7, 17.2.5, and 17.3.2. Users are strongly recommended to upgrade to these or later versions immediately. GitLab.com has already been updated with the patched version (GitLab Release).