GitLab has released critical security patches for its Community Edition (CE) and Enterprise Edition (EE) to address a vulnerability (CVE-2024-0402) that could allow an authenticated user to write files to arbitrary locations during workspace creation. This flaw, with a CVSS score of 9.9, impacts versions 16.0 to 16.8.1. The company has backported patches for the bug to versions 16.5.8, 16.6.6, 16.7.4, and 16.8.1. In addition to the critical fix, GitLab has also addressed four medium-severity flaws involving regular expression denial-of-service (ReDoS), HTML injection, and disclosure of a user’s public email address through the tags RSS feed.
The critical vulnerability, CVE-2024-0402, poses a significant security risk as it could be exploited by authenticated users to write files to arbitrary locations on the GitLab server during workspace creation. GitLab has responded swiftly by releasing patches for the bug, backporting them to multiple versions to ensure a comprehensive fix. This latest update comes just two weeks after GitLab addressed two other critical shortcomings, one of which could potentially allow account takeover without requiring user interaction (CVE-2023-7028, CVSS score: 10.0). The DevSecOps platform emphasizes the importance of upgrading installations to the patched version promptly to mitigate potential security risks.
Alongside the critical vulnerability, GitLab has resolved four medium-severity flaws, each presenting its own security concerns. These include issues related to regular expression denial-of-service (ReDoS), HTML injection, and the disclosure of a user’s public email address via the tags RSS feed. These medium-severity vulnerabilities, while not as critical as the main security flaw, further highlight the company’s commitment to maintaining a secure software development environment. Users are strongly advised to upgrade their GitLab installations to the latest patched version to ensure comprehensive protection against potential security threats.