CVE-2024-3115

Name of the Vulnerable Software and Affected Versions: GitLab EE versions 16.0 through 16.11.4 GitLab EE versions 17.0 through 17.0.2 GitLab EE versions 17.1 through 17.1.0

Description: The issue allows an attacker to access issues and epics without having an SSO session using Duo Chat. This is related to insufficient protection of service data in the Single sign-on (SSO) authentication mechanism of the GitLab Duo Chat web interface. The exploitation of this issue may allow a remote attacker to gain unauthorized access to protected information using Epics and Issues modules.

Recommendations: For versions 16.0 through 16.11.4, update to version 16.11.5 or later. For versions 17.0 through 17.0.2, update to version 17.0.3 or later. For versions 17.1 through 17.1.0, update to version 17.1.1 or later. As a temporary workaround, consider disabling the Duo Chat functionality until a patch is available. Restrict access to the Epics and Issues modules to minimize the risk of exploitation.