vulnerability
Gitlab Gitlab: CVE-2024-10240: Exposure of Sensitive System Information to an Unauthorized Control Sphere
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:P/I:N/A:N) | Nov 26, 2024 | Apr 22, 2025 | Mar 25, 2026 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
Nov 26, 2024
Added
Apr 22, 2025
Modified
Mar 25, 2026
Description
An issue has been discovered in GitLab EE affecting all versions starting from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2 in which an unauthenticated user may be able to read some information about an MR in a private project, under certain circumstances.
Solution
gitlab-gitlab-upgrade-latest
References
- CWE-497
- CVE-2024-10240
- https://attackerkb.com/topics/CVE-2024-10240
- https://about.gitlab.com/releases/2024/11/13/patch-release-gitlab-17-5-2-released/#information-disclosure-through-an-api-endpoint
- https://gitlab.com/gitlab-org/gitlab/-/issues/493188
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2024-33406
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.