Don't miss out on new posts! Sign up! Also, visit the VHT Forums!
Critical GitLab Fil...
 
Notifications
Clear all

Critical GitLab File Overwrite Vulnerability CVE-2024-0402 CVSS10

1 Posts
1 Users
0 Likes
222 Views
Brandon Lee
(@brandon-lee)
Posts: 446
Member Admin
Topic starter
 

GitLab has recently issued updates to fix a severe security vulnerability present in both its Community Edition (CE) and Enterprise Edition (EE). This vulnerability is tracked by CVE-2024-0402 and rated with a high CVSS score of 9.9, could be exploited by attackers to write files in arbitrary locations on the GitLab server during workspace creation.

The advisory, released on January 25, 2024, specifies that the issue impacts all GitLab CE/EE versions starting from 16.0 up to but not including 16.5.8, versions 16.6 up to 16.6.6, versions 16.7 up to 16.7.4, and versions 16.8 up to 16.8.1. It notes that an authenticated user can exploit this vulnerability to write files to any location on the GitLab server while setting up a workspace.

To address this issue, GitLab has backported patches to versions 16.5.8, 16.6.6, 16.7.4, and 16.8.1.

Also, GitLab resolved four medium-severity vulnerabilities in the latest update. These flaws included risks of a regular expression denial-of-service (ReDoS), HTML injection, and the potential exposure of a user’s public email address through the tags RSS feed.

This update follows closely on the heels of another recent security patch release by GitLab. Just two weeks earlier, the DevSecOps platform had released fixes for two critical vulnerabilities, including one (CVE-2023-7028, CVSS score: 10.0) that allowed account takeover without requiring any user interaction.

https://thehackernews.com/2024/01/urgent-upgrade-gitlab-critical.html

 
Posted : 30/01/2024 3:43 pm