A vulnerability has been identified in GitLab CE/EE, impacting all versions from 16.0 to 16.5.8, 16.6 to 16.6.6, 16.7 to 16.7.4, and 16.8 to 16.8.1. This flaw enables authenticated users to write files to any location on the GitLab server during the process of creating a workspace.
Tracked as CVE-2024-0402, the vulnerability holds a high CVSS score of 9.9 out of 10, emphasizing its severity.
CVE-2024-0402: Short Technical Overview
The identified issue affects GitLab CE/EE versions from 16.0 to 16.5.8, 16.6 to 16.6.6, 16.7 to 16.7.4, and 16.8 to 16.8.1. It allows authenticated users to write files to arbitrary locations on the GitLab server during workspace creation. GitLab promptly addressed the problem with patches, backported to versions 16.5.8, 16.6.6, 16.7.4, and 16.8.1.
In addition to fixing the critical flaw, GitLab tackled four medium-severity vulnerabilities in the latest update. These include vulnerabilities that could lead to regular expression denial-of-service (ReDoS), HTML injection, and the unintentional disclosure of a user’s public email address through the tags RSS feed.
This release follows a previous update by GitLab two weeks ago, where the DevSecOps platform resolved two critical shortcomings, one of which could be exploited to take over accounts without any user interaction (CVE-2023-7028, CVSS score: 10.0).
CVE-2023-7028 was reported by the security researcher ‘Asterion’ through the HackerOne bug bounty platform. It was introduced on May 1, 2023, with version 16.1.0, affecting various versions, including those preceding 16.7.2. GitLab strongly recommends users to either update to the patched versions (16.7.2, 16.5.6, and 16.6.4) or implement the fix, which has been backported to versions 16.1.6, 16.2.9, and 16.3.7.
To mitigate potential risks, users are strongly advised to promptly upgrade their GitLab installations to the patched version. It’s noteworthy that GitLab.com and GitLab Dedicated environments are already running the latest version, underscoring the importance of keeping software up-to-date to enhance security measures and protect against emerging threats.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: