CVE-2024-10043 in Enterprise Editioninfo

Summary

by MITRE • 12/12/2024

An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 17.4.6, all versions starting from 17.5 before 17.5.4 all versions starting from 17.6 before 17.6.2, that allows group users to view confidential incident title through the Wiki History Diff feature, potentially leading to information disclosure.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/12/2025

This vulnerability in GitLab Enterprise Edition represents a critical information disclosure flaw that undermines the confidentiality controls designed for sensitive incident data. The issue specifically affects group users who should not have access to confidential incident titles, yet can retrieve this information through the Wiki History Diff feature. This represents a significant bypass of access controls that are fundamental to maintaining the security posture of collaborative development environments where sensitive information may be documented in wikis. The vulnerability exists across multiple version ranges, indicating a persistent flaw in the access control implementation that spans several major releases.

The technical mechanism behind this vulnerability lies in the improper validation of user permissions within the Wiki History Diff functionality. When users access the diff view of wiki pages, the system fails to adequately verify whether the requesting user has appropriate clearance levels to view the confidential incident title information. This flaw operates at the application logic level, where the permission checking mechanism does not properly account for the sensitivity classification of content within the wiki history. The vulnerability can be exploited by users who are granted group-level access but should not be able to view confidential information, effectively creating an information leakage channel.

The operational impact of this vulnerability extends beyond simple data exposure, as it compromises the integrity of the security model that GitLab implements for managing access to sensitive information. Group users who should only have access to general project documentation can potentially discover confidential incident titles, which may contain sensitive details about security breaches, system vulnerabilities, or other critical operational information. This disclosure could enable malicious actors to gain insights into organizational security posture, potentially leading to targeted attacks or exploitation of known vulnerabilities. The impact is particularly severe in environments where GitLab is used for security incident management and where wikis contain detailed documentation of security events.

Organizations using affected GitLab versions should immediately implement mitigations to address this vulnerability. The most effective immediate solution involves upgrading to the patched versions 17.4.6, 17.5.4, or 17.6.2, which contain the necessary access control fixes. Additionally, administrators should review existing group permissions and implement more granular access controls for wiki content, particularly for incident-related documentation. The vulnerability aligns with CWE-284, which addresses improper access control in software systems, and represents a specific implementation weakness in the permission model. From an attack perspective, this vulnerability maps to ATT&CK technique T1566, which involves credential access through exploitation of software vulnerabilities, though the specific impact here is information disclosure rather than privilege escalation. Organizations should also consider implementing additional monitoring for wiki access patterns and diff view usage to detect potential exploitation attempts.

Responsible

GitLab

Reservation

10/16/2024

Disclosure

12/12/2024

Moderation

accepted

CPE

ready

EPSS

0.00436

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!