GitLab as soon as once more launched fixes to deal with a crucial safety flaw in its Neighborhood Version (CE) and Enterprise Version (EE) that might be exploited to put in writing arbitrary recordsdata whereas making a workspace.
Tracked as CVE-2024-0402, the vulnerability has a CVSS rating of 9.9 out of a most of 10.
“A problem has been found in GitLab CE/EE affecting all variations from 16.0 previous to 16.5.8, 16.6 previous to 16.6.6, 16.7 previous to 16.7.4, and 16.8 previous to 16.8.1 which permits an authenticated consumer to put in writing recordsdata to arbitrary places on the GitLab server whereas making a workspace,” GitLab mentioned in an advisory launched on January 25, 2024.
The corporate additionally famous patches for the bug have been backported to 16.5.8, 16.6.6, 16.7.4, and 16.8.1.
Additionally resolved by GitLab are 4 medium-severity flaws that might result in an everyday expression denial-of-service (ReDoS), HTML injection, and the disclosure of a consumer’s public e mail handle through the tags RSS feed.
The newest replace arrives two weeks after the DevSecOps platform shipped fixes to shut out two crucial shortcomings, together with one which might be exploited to take over accounts with out requiring any consumer interplay (CVE-2023-7028, CVSS rating: 10.0).
Customers are suggested to improve the installations to a patched model as quickly as attainable to mitigate potential dangers. GitLab.com and GitLab Devoted environments are already operating the newest model.