GitLab has once again released fixes to address a critical security flaw in its Community Edition (CE) and Enterprise Edition (EE) that could be exploited to write arbitrary files when creating a workspace.
Tracked as CVE-2024-0402the vulnerability has a CVSS score of 9.9 out of a possible 10.
“An issue has been discovered in GitLab CE/EE affecting all versions 16.0 before 16.5.8, 16.6 before 16.6.6, 16.7 before 16.7.4, and 16.8 before 16.8.1 that allows an authenticated user to write files to arbitrary locations on the GitLab server when creating a workspace,” GitLab said in an advisory published on January 25, 2024.
The company also noted that patches for the bug have been pushed to versions 16.5.8, 16.6.6, 16.7.4, and 16.8.1.
GitLab also addressed four medium-severity flaws that could lead to regular expression denial-of-service (ReDoS), HTML injection, and disclosure of a user’s public email address via the tags’ RSS feed.
The latest update comes two weeks after the DevSecOps platform released fixes to address two critical flaws, including one that could be exploited to take control of accounts without requiring any user interaction (CVE-2023-7028, CVSS score: 10.0).
Users are advised to update installations to a patched version as soon as possible to mitigate potential risks. The GitLab.com and GitLab Dedicated environments are already running the latest version.