CVE-2024-4660: 
GitLab vulnerability analysis and mitigation

A security vulnerability (CVE-2024-4660) was discovered in GitLab Enterprise Edition (EE) affecting versions from 11.2 before 17.1.7, versions from 17.2 before 17.2.5, and versions from 17.3 before 17.3.2. The vulnerability allows guest users to read the source code of private projects by exploiting group templates functionality (GitLab Release, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue stems from improper access control mechanisms in GitLab's group templates feature, where guest users could bypass intended restrictions to access private project source code. The vulnerability is classified under CWE-862 (Missing Authorization) (NVD).

The primary impact of this vulnerability is the potential disclosure of sensitive information. Guest users can exploit this flaw to read the complete source code of private projects that they should not have access to, potentially exposing proprietary code and sensitive business logic (GitLab Issue).

GitLab has addressed this vulnerability in versions 17.1.7, 17.2.5, and 17.3.2. Organizations are strongly advised to upgrade to these patched versions immediately. GitLab.com has already been updated with the security fix (GitLab Release).