CVE CyberSecurity Database News

CVE-2024-10043 - GitLab Wiki Diff Feature Discloses Confidential Incident Titles – Deep Dive, Exploit Demo, and Remediation

Poster -

On February 2024, a critical security issue dubbed CVE-2024-10043 was publicly disclosed affecting GitLab EE (Enterprise Edition). This vulnerability, found in specific GitLab versions, makes it possible for unauthorized group users to view the titles of confidential incidents via the Wiki History Diff feature. While not remote code execution, this is a significant information disclosure flaw that could expose sensitive project details to unintended users.

This post covers everything you need to know: where to find the bug, how it works, the risk, how to exploit it, and—most importantly—how to fix it. It’s written in plain, simple language, including code snippets and proof-of-concept steps.

All 17.6 versions before 17.6.2

Community Edition (CE) is NOT affected.
Enterprise Edition (EE) admins should update ASAP.

What Is the Vulnerability?

In GitLab EE, confidential incidents are used to privately handle sensitive issues (security bugs, financial info, etc). Confidentiality is meant to stop regular project/group members from learning about these incidents.

However, in affected versions, by carefully inspecting Wiki Page History Diffs (the differences between revisions of a wiki page), users can access the title of a confidential incident that should be hidden.

Information about infrastructure, security practices, or vulnerabilities

This opens doors for targeted attacks, social engineering, or internal misuse.

At some point, the reference to the confidential incident title is added or removed.

3. A group-level user who isn’t permitted to view that incident can use the Wiki Page History Diff to compare page changes.

4. The diff output includes the plain title of the incident (even if the user should have no access to confidential issues/incidents).

They access the History Diff view between the two relevant revisions.

6. The incident title pops up right in the diff—even though it's supposed to be hidden from Member C.

As Alice

# In the project, create a confidential incident with a sensitive title
curl --header "PRIVATE-TOKEN: <ALICE_TOKEN>" \
     --data "title=Critical Database Exposure: Production Leak&confidential=true" \
     "https://gitlab.example.com/api/v4/projects/<project_id>/issues";

*(Incident issue is marked confidential)*

Step 3: Edit the Wiki to Remove Reference

Carol edits Security.md again, removes (or updates) the incident title.

Click “History” tab

3. Select the diff between the versions where the reference was added/removed.

Expected: The confidential incident title should be hidden.

Actual: The plain title appears in the diff view!

The Wiki History Diff template in certain GitLab EE versions renders raw page diffs.

- There is no permission check/redaction on confidential issue references inside those diffs.

Therefore, group users can snoop on “deleted or added” lines and see the incident’s title.

This bypasses standard access controls, exposing details only meant for maintainers/security.

Remediation

Upgrade!

Upgrade to 17.4.6, 17.5.4, or 17.6.2 (or later).

See GitLab’s Security Advisory
and the original CVE.

Minimize confidential details shown in wiki pages while at-risk.

- Remove/wiki-ban referencing confidential incidents.

Detection & Audit

To check if your project Wikis contain such leaks, use the API to scan Wiki diffs for confidential references:

curl --header "PRIVATE-TOKEN: <TOKEN>" \
     "https://gitlab.example.com/api/v4/projects/<project_id>/wikis/<wiki_slug>/history";

# Parse the diff output for confidential issue titles, references, or any sensitive info

*(Needs scripting to process responses, but searching for confidential issues referenced can be automated)*

References

- GitLab Security Advisory: Critical Security Release
- CVE on NIST NVD: CVE-2024-10043
- GitLab Release Post

Conclusion

CVE-2024-10043 is a potent reminder that information disclosure bugs can be as dangerous as direct code execution flaws. Even seemingly “harmless” features like Wiki diffs can leak highly confidential information. If you’re running GitLab EE, patch immediately, review your Wikis, and educate teams about not exposing sensitive titles in group-accessible pages.

Stay vigilant, keep your tools updated, and audit for exposures regularly.


*If this saved your bacon, share it with your DevOps/Security team.*

Timeline

Published on: 12/12/2024 12:15:21 UTC