CVE-2024-7060: 
GitLab vulnerability analysis and mitigation

An information disclosure vulnerability was identified in GitLab CE/EE affecting project and group exports. The vulnerability impacts all versions from 15.4 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1. This security issue allows unauthorized users to view the resultant exports of projects and groups (NVD).

The vulnerability has been assigned CVE-2024-7060 and is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). According to the CVSS v3.1 scoring, NIST assigned a base score of 6.5 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, while GitLab Inc. assessed it with a base score of 2.6 (LOW) with vector CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N (NVD).

The vulnerability could lead to unauthorized access to sensitive information contained within project or group exports. This includes potentially exposing inaccessible resources that should be restricted based on user permissions, such as epics, notes, or other confidential data that would normally be filtered based on user authorization (GitLab Issue).

Users are advised to upgrade to GitLab version 17.0.5, 17.1.3, or 17.2.1 or later, depending on their current version track. These versions contain the necessary fixes to ensure export files are only accessible to the users who initiated them (NVD).