GitLab as soon as once more launched fixes to handle a crucial safety flaw in its Group Version (CE) and Enterprise Version (EE) that could possibly be exploited to put in writing arbitrary recordsdata whereas making a workspace.
Tracked as CVE-2024-0402, the vulnerability has a CVSS rating of 9.9 out of a most of 10.
“A difficulty has been found in GitLab CE/EE affecting all variations from 16.0 previous to 16.5.8, 16.6 previous to 16.6.6, 16.7 previous to 16.7.4, and 16.8 previous to 16.8.1 which permits an authenticated person to put in writing recordsdata to arbitrary places on the GitLab server whereas making a workspace,” GitLab stated in an advisory launched on January 25, 2024.
The corporate additionally famous patches for the bug have been backported to 16.5.8, 16.6.6, 16.7.4, and 16.8.1.
Additionally resolved by GitLab are 4 medium-severity flaws that would result in an everyday expression denial-of-service (ReDoS), HTML injection, and the disclosure of a person’s public e mail tackle through the tags RSS feed.
The most recent replace arrives two weeks after the DevSecOps platform shipped fixes to shut out two crucial shortcomings, together with one which could possibly be exploited to take over accounts with out requiring any person interplay (CVE-2023-7028, CVSS rating: 10.0).
Customers are suggested to improve the installations to a patched model as quickly as doable to mitigate potential dangers. GitLab.com and GitLab Devoted environments are already operating the newest model.
