GitLab the moment again launched fixes to handle a critical security flaw in its Group Edition (CE) and Business Version (EE) that could be exploited to write arbitrary data files even though developing a workspace.
Tracked as CVE-2024-0402, the vulnerability has a CVSS score of 9.9 out of a maximum of 10.
“An issue has been found in GitLab CE/EE influencing all versions from 16. prior to 16.5.8, 16.6 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated consumer to produce information to arbitrary locations on the GitLab server even though producing a workspace,” GitLab said in an advisory produced on January 25, 2024.
The company also noted patches for the bug have been backported to 16.5.8, 16.6.6, 16.7.4, and 16.8.1.
Also fixed by GitLab are 4 medium-severity flaws that could lead to a common expression denial-of-services (ReDoS), HTML injection, and the disclosure of a user’s general public email tackle via the tags RSS feed.
The newest update comes two months just after the DevSecOps platform shipped fixes to near out two critical shortcomings, such as one that could be exploited to take in excess of accounts with out demanding any user conversation (CVE-2023-7028, CVSS score: 10.).
Buyers are recommended to upgrade the installations to a patched variation as shortly as attainable to mitigate probable dangers. GitLab.com and GitLab Dedicated environments are currently running the most current edition.
Identified this write-up fascinating? Abide by us on Twitter and LinkedIn to go through far more special content material we write-up.
Some sections of this report are sourced from: