CVE-2024-9512: 
GitLab vulnerability analysis and mitigation

A Time-of-check Time-of-use (TOCTOU) race condition vulnerability (CVE-2024-9512) was discovered in GitLab Enterprise Edition (EE) affecting all versions prior to 17.10.8, 17.11 prior to 17.11.4, and 18.0 prior to 18.0.2. The vulnerability was reported through GitLab's HackerOne bug bounty program by researcher hdtran (GitLab Patch).

The vulnerability is classified as a Time-of-check Time-of-use (TOCTOU) race condition (CWE-367) that occurs when a secondary node is out of sync. It has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, high attack complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, and no impact on integrity or availability (GitLab Patch, Wiz).

If successfully exploited, this vulnerability could allow an authenticated attacker to clone private repositories during the period when a secondary node is out of sync, potentially leading to unauthorized access to sensitive information (GitLab Patch).

GitLab has released patches to address this vulnerability. Users are strongly recommended to upgrade to GitLab version 17.10.8, 17.11.4, or 18.0.2 or later. GitLab.com has already been updated with the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Patch).