GitLab as soon as once more launched fixes to deal with a vital security flaw in its Group Version (CE) and Enterprise Version (EE) that may very well be exploited to jot down arbitrary recordsdata whereas making a workspace.
Tracked as CVE-2024-0402, the vulnerability has a CVSS rating of 9.9 out of a most of 10.
“A difficulty has been found in GitLab CE/EE affecting all variations from 16.0 previous to 16.5.8, 16.6 previous to 16.6.6, 16.7 previous to 16.7.4, and 16.8 previous to 16.8.1 which permits an authenticated person to jot down recordsdata to arbitrary areas on the GitLab server whereas making a workspace,” GitLab mentioned in an advisory launched on January 25, 2024.
The corporate additionally famous patches for the bug have been backported to 16.5.8, 16.6.6, 16.7.4, and 16.8.1.
Additionally resolved by GitLab are 4 medium-severity flaws that might result in a daily expression denial-of-service (ReDoS), HTML injection, and the disclosure of a person’s public e mail tackle by way of the tags RSS feed.
The newest replace arrives two weeks after the DevSecOps platform shipped fixes to shut out two vital shortcomings, together with one which may very well be exploited to take over accounts with out requiring any person interplay (CVE-2023-7028, CVSS rating: 10.0).
Customers are suggested to improve the installations to a patched model as quickly as potential to mitigate potential dangers. GitLab.com and GitLab Devoted environments are already operating the most recent model.
