GitLab the moment again launched fixes to handle a critical security flaw in its Group Edition (CE) and Business Version (EE) that could be exploited to write arbitrary data files even though developing a workspace.
Tracked as CVE-2024-0402, the vulnerability has a CVSS score of 9.9 out of a maximum of 10.
“An issue has been found in GitLab CE/EE influencing all versions from 16. prior to 16.5.8, 16.6 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated consumer to produce information to arbitrary locations on the GitLab server even though producing a workspace,” GitLab said in an advisory produced on January 25, 2024.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The company also noted patches for the bug have been backported to 16.5.8, 16.6.6, 16.7.4, and 16.8.1.
Also fixed by GitLab are 4 medium-severity flaws that could lead to a common expression denial-of-services (ReDoS), HTML injection, and the disclosure of a user’s general public email tackle via the tags RSS feed.
The newest update comes two months just after the DevSecOps platform shipped fixes to near out two critical shortcomings, such as one that could be exploited to take in excess of accounts with out demanding any user conversation (CVE-2023-7028, CVSS score: 10.).
Buyers are recommended to upgrade the installations to a patched variation as shortly as attainable to mitigate probable dangers. GitLab.com and GitLab Dedicated environments are currently running the most current edition.
Identified this write-up fascinating? Abide by us on Twitter and LinkedIn to go through far more special content material we write-up.
Some sections of this report are sourced from:
thehackernews.com