CVE-2024-0402: GitLab Releases Urgent Security Patches for Critical Vulnerability
GitLab has addressed a critical severity vulnerability that could allow an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.
GitLab is a web-based DevOps platform that combines the functionalities of Git repositories with continuous integration/continuous delivery (CI/CD) pipelines, issue tracking, and other features useful for software development.
The flaw (discovered internally and tracked as CVE-2024-0402, CVSS 9.9) affects both GitLab Community Edition (CE) and Enterprise Edition (EE).
The GitLab team explained in a security advisory published on Thursday: “An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.5.8, 16.6 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.”
GitLab urged users to immediately upgrade all GitLab installations to the latest versions (16.5.8, or 16.6.6,16.7.4, or 16.8.1) to fix CVE-2024-0402.
“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible,” the team said.
GitLab also fixed several security flaws in this update:
- CVE-2023-6159 (CVSS 6.5): ReDoS in Cargo.toml blob viewer
- CVE-2023-5993 (CVSS 6.4): Arbitrary API PUT requests via HTML injection in user’s name
- CVE-2023-5612 (CVSS 5.3): Disclosure of the public email in Tags RSS Feed
- CVE-2024-0456 (CVSS 4.3): Non-Member can update MR Assignees of owned MRs
Early this month, GitLab released security updates to address a critical vulnerability that could be exploited to take over accounts without requiring any user interaction. Tracked as CVE-2023-7028, the flaw has been awarded the maximum severity of 10.0 on the CVSS scoring system and could facilitate account takeover by sending password reset emails to an unverified email address.
