CVE-2024-7586: 
GitLab vulnerability analysis and mitigation

An issue was discovered in GitLab Enterprise Edition (EE) affecting all versions starting from 17.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, where webhook deletion audit log preserved authentication credentials. This vulnerability has been assigned CVE-2024-7586 and was discovered internally by GitLab Team member Anton Smith (GitLab Release, NVD).

The vulnerability has been assessed as medium severity with a CVSS v3.1 base score of 4.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N). The issue is related to CWE-532 (Insertion of Sensitive Information into Log File), where authentication credentials were being preserved in the webhook deletion audit log (NVD).

The vulnerability could potentially expose sensitive authentication credentials through the webhook deletion audit log, leading to potential unauthorized access to system information. The impact is limited to confidentiality concerns, with no direct impact on integrity or availability of the system (GitLab Release).

The vulnerability has been fixed in GitLab versions 17.0.6, 17.1.4, and 17.2.2. Users are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version (GitLab Release).