GitLab Inc [1] [4], a widely used source code management platform, has released patches for several vulnerabilities [1] [5], including a critical security flaw known as CVE-2024-0402 [2]. This flaw poses a high risk to the server as it allows authenticated users to write files to arbitrary locations, potentially leading to the delivery of malware and unauthorized access to sensitive data.
Description
GitLab has addressed the critical vulnerability, which has a CVSS score of 9.9 out of 10 [2] [6], in versions 16.5.8, 16.6.6, 16.7.4 [1] [2] [4], and 16.8.1 of GitLab Community Edition (CE) and Enterprise Edition (EE). It is important to note that version 16.8.1 specifically contains the patch for CVE-2024-0402 [1]. The patched version has already been implemented in GitLabcom and GitLab Dedicated environments.
In addition to the critical flaw, GitLab has also resolved four medium-severity vulnerabilities [3]. These include regular expression denial-of-service [3], HTML injection [3], and disclosure of a user’s public email address [3]. These updates come after the company addressed two critical shortcomings in a previous release [3].
Conclusion
To mitigate potential risks [3], users are strongly advised to upgrade to the patched version [3]. By doing so, they can protect their servers from compromise and potential unauthorized access to sensitive data. It is crucial to stay vigilant and promptly apply security patches to ensure the ongoing security of the GitLab platform.
References
[1] https://www.helpnetsecurity.com/2024/01/30/self-managed-gitlab-installations-should-be-patched-again-cve-2024-0402/
[2] https://vulners.com/thn/THN:040E7498A475707D527842A7540CD6D1
[3] https://thehackernews.com/2024/01/urgent-upgrade-gitlab-critical.html
[4] https://vumetric.com/cybersecurity-news/self-managed-gitlab-installations-should-be-patched-again-cve-2024-0402/
[5] https://www.itnews.com.au/news/gitlab-patches-another-critical-vulnerability-604520
[6] https://www.redpacketsecurity.com/urgent-upgrade-gitlab-critical-workspace-creation-flaw-allows-file-overwrite/