CVE-2024-4278: Incorrect Synchronization in GitLab
First published: Thu Sep 26 2024(Updated: )
An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting.
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab | >=16.5.0<17.2.8 | |
| GitLab | >=17.3.0<17.3.4 | |
| GitLab | =17.4.0 |
Remedy
Upgrade to versions 17.2.8, 17.3.4, 17.4.1 or above.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-4278?
CVE-2024-4278 is classified as an information disclosure vulnerability with potentially significant implications for security.
How do I fix CVE-2024-4278?
To fix CVE-2024-4278, upgrade GitLab to versions 17.2.8, 17.3.4, or 17.4.1 or later.
Who is affected by CVE-2024-4278?
CVE-2024-4278 affects all GitLab EE versions from 16.5 to prior to 17.2.8, 17.3 to prior to 17.3.4, and 17.4 to prior to 17.4.1.
What type of data is exposed in CVE-2024-4278?
CVE-2024-4278 allows maintainers to access the Dependency Proxy password due to improper settings handling.
When was CVE-2024-4278 disclosed?
CVE-2024-4278 was disclosed in 2024, highlighting a critical information disclosure issue.
- agent/remedy
- agent/title
- agent/references
- agent/first-publish-date
- agent/type
- agent/description
- agent/author
- agent/event
- agent/severity
- agent/weakness
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/gitlab
- canonical/gitlab
- version/gitlab/16.5.0
- version/gitlab/17.3.0
- version/gitlab/17.4.0