Don't miss out on new posts! Sign up! Also, visit the VHT Forums!
Critical GitLab Fil...
Clear all

Critical GitLab File Overwrite Vulnerability CVE-2024-0402 CVSS10

1 Posts
1 Users
Brandon Lee
Posts: 446
Member Admin
Topic starter

GitLab has recently issued updates to fix a severe security vulnerability present in both its Community Edition (CE) and Enterprise Edition (EE). This vulnerability is tracked by CVE-2024-0402 and rated with a high CVSS score of 9.9, could be exploited by attackers to write files in arbitrary locations on the GitLab server during workspace creation.

The advisory, released on January 25, 2024, specifies that the issue impacts all GitLab CE/EE versions starting from 16.0 up to but not including 16.5.8, versions 16.6 up to 16.6.6, versions 16.7 up to 16.7.4, and versions 16.8 up to 16.8.1. It notes that an authenticated user can exploit this vulnerability to write files to any location on the GitLab server while setting up a workspace.

To address this issue, GitLab has backported patches to versions 16.5.8, 16.6.6, 16.7.4, and 16.8.1.

Also, GitLab resolved four medium-severity vulnerabilities in the latest update. These flaws included risks of a regular expression denial-of-service (ReDoS), HTML injection, and the potential exposure of a user’s public email address through the tags RSS feed.

This update follows closely on the heels of another recent security patch release by GitLab. Just two weeks earlier, the DevSecOps platform had released fixes for two critical vulnerabilities, including one (CVE-2023-7028, CVSS score: 10.0) that allowed account takeover without requiring any user interaction.

Posted : 30/01/2024 3:43 pm