CVE-2024-6685

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 16.7 through 17.1.7 GitLab CE/EE versions 17.2 through 17.2.5 GitLab CE/EE versions 17.3 through 17.3.2

Description: An issue was discovered in GitLab CE/EE where group runners information was disclosed to unauthorized group members. The issue is related to the Group Member Handler component and involves bypassing authorization via a user-controlled key, allowing a remote attacker to gain unauthorized access to protected information.

Recommendations: For GitLab CE/EE versions 16.7 through 17.1.7, update to version 17.1.7 or later. For GitLab CE/EE versions 17.2 through 17.2.5, update to version 17.2.5 or later. For GitLab CE/EE versions 17.3 through 17.3.2, update to version 17.3.2 or later. As a temporary workaround, consider restricting access to group runners information to minimize the risk of exploitation.