GitLab Security Release Fixes Critical File Overwrite Vulnerability
GitLab has recently released important patches to fix a critical security vulnerability affecting both its Community Edition (CE) and Enterprise Edition (EE). The flaw, identified as CVE-2024-0402, carries a CVSS score of 9.9 out of 10 and could allow attackers to write arbitrary files while creating a workspace.
GitLab disclosed in an advisory that the vulnerability impacts all versions from 16.0 prior to 16.5.8, 16.6 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 in CE/EE. This flaw enables authenticated users to write files to arbitrary locations on the GitLab server during workspace creation. The company has also backported patches for this issue to versions 16.5.8, 16.6.6, 16.7.4, and 16.8.1. However, GitLab 16.5.8 does not include any other fixes except this vulnerability.
Other Fixed GitLab Security Vulnerabilities
In addition to addressing the critical vulnerability, this security release has also resolved four medium-severity flaws in GitLab. These include:
CVE-2023-6159 (CVSS Severity Score: 6.5 Medium)
A vulnerability has been identified in GitLab CE/EE versions 12.7 to 16.6.6, 16.7 to 16.7.4, and 16.8 to 16.8.1. Attackers could exploit this by using a maliciously crafted input in a Cargo.toml file, leading to a Regular Expression Denial of Service.
CVE-2023-5933 (CVSS Severity Score: 6.4 Medium)
A vulnerability has been found in GitLab CE/EE versions from 13.7 to 16.6.6, 16.7 to 16.7.4, and 16.8 to 16.8.1. Improper input sanitization of user names enables arbitrary API PUT requests.
CVE-2023-5612 (CVSS Severity Score: 5.3 Medium)
A vulnerability has been identified in GitLab across all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Despite user profile email visibility being disabled, it was still possible to access user email addresses via the tags feed.
CVE-2024-0456 (CVSS Severity Score: 4.3 Medium)
An authorization vulnerability has been found in GitLab versions ranging from 14.0 to 16.6.6, 16.7 to 16.7.4, and 16.8 to 16.8.1. This allows unauthorized attackers to assign arbitrary users to Merge Requests (MRs) they created within the project.
Conclusion
This latest GitLab security release came just two weeks after GitLab patched two critical vulnerabilities, one of which could be exploited to take over accounts without any user interaction (CVE-2023-7028, CVSS score: 10.0). To mitigate potential risks, users are strongly advised to upgrade their GitLab installations to the patched versions as soon as possible.
The sources for this article include a story from TheHackerNews and GitLab Releases.