Lucene search

K
thnThe Hacker NewsTHN:040E7498A475707D527842A7540CD6D1
HistoryJan 30, 2024 - 4:18 p.m.

URGENT: Upgrade GitLab - Critical Workspace Creation Flaw Allows File Overwrite

2024-01-3016:18:00
The Hacker News
thehackernews.com
31
gitlab
security flaw
file overwrite
workspace creation
cve-2024-0402
cvss score 9.9
patch
vulnerability
devsecops
upgrade recommended.

AI Score

6.8

Confidence

Low

EPSS

0.965

Percentile

99.6%

GitLab

GitLab once again released fixes to address a critical security flaw in its Community Edition (CE) and Enterprise Edition (EE) that could be exploited to write arbitrary files while creating a workspace.

Tracked as CVE-2024-0402, the vulnerability has a CVSS score of 9.9 out of a maximum of 10.

“An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.5.8, 16.6 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace,” GitLab said in an advisory released on January 25, 2024.

Cybersecurity

The company also noted patches for the bug have been backported to 16.5.8, 16.6.6, 16.7.4, and 16.8.1.

Also resolved by GitLab are four medium-severity flaws that could lead to a regular expression denial-of-service (ReDoS), HTML injection, and the disclosure of a user’s public email address via the tags RSS feed.

The latest update arrives two weeks after the DevSecOps platform shipped fixes to close out two critical shortcomings, including one that could be exploited to take over accounts without requiring any user interaction (CVE-2023-7028, CVSS score: 10.0).

Users are advised to upgrade the installations to a patched version as soon as possible to mitigate potential risks. GitLab.com and GitLab Dedicated environments are already running the latest version.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.