GitLab recently discovered a critical vulnerability in its Community Edition (CE) and Enterprise Edition (EE) instances, allowing malicious actors to write arbitrary files while creating a workspace.
In a security bulletinGitLab said that the vulnerability is quite serious and users should apply the patch with utmost urgency.
The vulnerability affects all versions of 16.0 before 16.5.8, 16.6 before 16.6.6, 16.7 before 16.7.4, and 16.8 before 16.8.1, the project said in the announcement.
Even more bugs to patch
“This is a critical issue,” GitLab said, adding that it has been given a severity score of 9.9. “It has now been addressed in the latest release and is assigned CVE-2024-0402.”
The company also said that the patch has been rolled back to 16.5.8, in addition to 16.6.6, 16.7.4 and 16.8.1. “GitLab 16.5.8 only contains a fix for this vulnerability and does not include any of the other fixes or changes mentioned in this blog post,” the announcement concluded. GitLab.com and GitLab Dedicated environments are said to already be using the upgraded version.
In the same advisory, GitLab also said it was addressing four moderate flaws that could result in a denial of service (ReDoS), HTML injection, and leakage of users’ public email addresses via the tags’ RSS feed.
This isn’t the first time GitLab users have been urged to immediately apply a patch and fix a critical bug. In September last year, GitLab said it had found a flaw in its scan execution policy to run pipelines (a series of automated tasks) as a different user.
This flaw was tracked as CVE-2023-4998 and has a severity score of 9.6. It affected a number of versions of the software, namely GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 through 16.2.7, and versions 16.3 through 16.3.4.
Through The hacker news