CVE-2024-12380

CVE-2024-12380 is a vulnerability discovered in GitLab Enterprise Edition (EE) and Community Edition (CE), affecting all versions starting from 11.5 before 17.7.7, all versions starting from 17.8 before 17.8.5, and all versions starting from 17.9 before 17.9.2. The issue arises from certain user inputs in repository mirroring settings that could potentially expose sensitive authentication information. It is classified under CWE-209 and carries a CVSS v3.1 base score of 4.4 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N), indicating a moderate severity with high confidentiality impact but no integrity or availability effects.

Exploitation requires network access, high attack complexity, and high privileges (PR:H), with no user interaction needed. An authenticated attacker possessing elevated privileges could leverage the flawed handling of inputs in repository mirroring settings to disclose sensitive authentication details, potentially compromising credentials used for mirroring operations.

Mitigation is achieved by upgrading to patched GitLab versions: 17.7.7 or later for the 17.7 series, 17.8.5 or later for the 17.8 series, and 17.9.2 or later for the 17.9 series. Further details on the issue and resolution are documented in the GitLab issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/508557 and the corresponding HackerOne disclosure report at https://hackerone.com/reports/2868951.