URGENT: Upgrade GitLab – Critical Workspace Creation Flaw Allows File Overwrite

Avatar
GitLab once again released fixes to address a critical security flaw in its Community Edition (CE) and Enterprise Edition (EE) that could be exploited to write arbitrary files while creating a workspace. Tracked as CVE-2024-0402, the vulnerability has a CVSS score of 9.9 out of a maximum of 10. “An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to

GitLab once again released fixes to address a critical security flaw in its Community Edition (CE) and Enterprise Edition (EE) that could be exploited to write arbitrary files while creating a workspace.

Tracked as CVE-2024-0402, the vulnerability has a CVSS score of 9.9 out of a maximum of 10.

“An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.5.8, 16.6 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace,” GitLab said in an advisory released on January 25, 2024.

The company also noted patches for the bug have been backported to 16.5.8, 16.6.6, 16.7.4, and 16.8.1.

Also resolved by GitLab are four medium-severity flaws that could lead to a regular expression denial-of-service (ReDoS), HTML injection, and the disclosure of a user’s public email address via the tags RSS feed.

The latest update arrives two weeks after the DevSecOps platform shipped fixes to close out two critical shortcomings, including one that could be exploited to take over accounts without requiring any user interaction (CVE-2023-7028, CVSS score: 10.0).

Users are advised to upgrade the installations to a patched version as soon as possible to mitigate potential risks. GitLab.com and GitLab Dedicated environments are already running the latest version.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

New ZLoader Malware Variant Surfaces with 64-bit Windows Compatibility

Next Post

New Glibc Flaw Grants Attackers Root Access on Major Linux Distros

Related Posts

Juniper Networks Releases Urgent Junos OS Updates for High-Severity Flaws

Juniper Networks has released out-of-band updates to address high-severity flaws in SRX Series and EX Series that could be exploited by a threat actor to take control of susceptible systems. The vulnerabilities, tracked as CVE-2024-21619 and CVE-2024-21620, are rooted in the J-Web component and impact all versions of Junos OS. Two other shortcomings, CVE-2023-36846 and
Avatar
Read More

Why the Right Metrics Matter When it Comes to Vulnerability Management

How’s your vulnerability management program doing? Is it effective? A success? Let’s be honest, without the right metrics or analytics, how can you tell how well you’re doing, progressing, or if you’re getting ROI? If you’re not measuring, how do you know it’s working? And even if you are measuring, faulty reporting or focusing on the wrong metrics can create blind spots and make it harder to
Omega Balla
Read More