GitLab recently discovered a critical vulnerability in its Community Edition (CE) and Enterprise Edition (EE) instances, which could allow malicious actors to write arbitrary files while creating a workspace.
In a security bulletin, GitLab said the vulnerability is quite serious and that users should apply the patch with utmost urgency.
The vulnerability affects all versions from 16.0 prior to 16.5.8, 16.6 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1, the project said in the announcement.
More bugs to patch
“This is a critical severity issue,” GitLab said, adding that it has been assigned a severity score of 9.9. “It is now mitigated in the latest release and is assigned CVE-2024-0402.”
The company also said the patch was backported to 16.5.8 besides 16.6.6, 16.7.4, and 16.8.1. “GitLab 16.5.8 only includes a fix for this vulnerability and does not contain any of the other fixes or changes mentioned in this blog post,” the announcement concluded. GitLab.com and GitLab Dedicated environments are said to already be running the upgraded version.
In the same advisory, GitLab also said it addressed four medium-severity flaws that could result in a regular expression denial-of-service (ReDoS), HTML injection, and the leaking of users’ public email addresses via the tags RSS feed.
This is not the first time GitLab users were urged to immediately apply a patch and fix a critical flaw. In September last year, GitLab said it found a flaw in scan execution policies to run pipelines (a series of automated tasks) as another user.
This flaw was tracked as CVE-2023-4998 and carries a severity score of 9.6. It impacted a couple of versions of the software, namely GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 through 16.2.7, and versions 16.3 through 16.3.4.
Via The Hacker News