CVE-2024-5067 — Exposure of Sensitive Information to an Unauthorized Actor in GitLab

Description

An issue was discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where certain project-level analytics settings could be leaked in DOM to group members with Developer or higher roles.

How to fix CVE-2024-5067

To remediate CVE-2024-5067, upgrade the affected package to a fixed version below.

—upgrade to 17.0.5 or later

Is CVE-2024-5067 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 16.11.0, < 17.0.5, >= 17.1.0, < 17.1.3, >= 17.2.0, < 17.2.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

References (5)

WEBgitlab.com/gitlab-org/gitlab/-/issues/458504
WEBgitlab.com/gitlab-org/gitlab/-/issues/462427
WEBhackerone.com/reports/2462303
WEBhackerone.com/reports/2502047
WEBnvd.nist.gov/vuln/detail/CVE-2024-5067