CVE-2024-9596: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab Enterprise Edition (EE) affecting all versions starting from 16.6 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. The vulnerability allows an unauthenticated attacker to determine the GitLab version number for a GitLab instance (GitLab Release, NVD).

The vulnerability is tracked as CVE-2024-9596 and has been assigned a CVSS v3.1 base score of 3.7 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. The issue stems from the exposure of version information in the page source, which was initially introduced in version 15.9 and became a default behavior in version 16.6 (GitLab Release).

The disclosure of version information poses a security risk as it makes it easier for malicious actors to identify potential attack vectors that affect specific versions of GitLab. This information exposure could be used to target known vulnerabilities in unpatched instances (BleepingComputer).

The vulnerability has been patched in GitLab versions 17.4.2, 17.3.5, and 17.2.9. Users are strongly recommended to upgrade to these versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Release).