January 30, 2024 at 11:36AM
GitLab released fixes for a critical security flaw (CVE-2024-0402) in its Community and Enterprise Editions, allowing unauthorized writing of files. Patches have been backported, and additional medium-severity flaws were resolved. Users are urged to upgrade to the latest version promptly. This follows recent fixes to address critical vulnerabilities in the platform.
Key takeaways from the meeting notes:
1. GitLab released fixes for a critical security flaw, tracked as CVE-2024-0402, with a CVSS score of 9.9. This vulnerability allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.
2. Patches for the vulnerability have been backported to versions 16.5.8, 16.6.6, 16.7.4, and 16.8.1.
3. GitLab also resolved four medium-severity flaws related to regular expression denial-of-service, HTML injection, and the disclosure of a user’s public email address through the tags RSS feed.
4. This latest update follows the recent fixes for two critical shortcomings, including one that could be exploited to take over accounts without user interaction, tracked as CVE-2023-7028 with a CVSS score of 10.0.
5. Users are advised to upgrade their installations to the patched version as soon as possible to mitigate potential risks.
6. GitLab.com and GitLab Dedicated environments are already running the latest version.
Feel free to reach out if you need any further information!