A critical vulnerability, tracked as CVE-2024-0402, has been discovered in GitLab CE/EE, impacting various versions ranging from 16.0 to 16.8.1. This flaw poses a severe threat, as authenticated users can exploit it to write files to any location on the GitLab server during the workspace creation process. With a high CVSS score of 9.9 out of 10, the urgency to address and patch this vulnerability cannot be overstated.
CVE-2024-0402: Technical Overview
Vulnerability Details
The identified flaw allows authenticated users to perform unauthorized file writing actions on the GitLab server. Specifically, this occurs during the creation of a workspace. GitLab versions affected include 16.0 to 16.5.8, 16.6 to 16.6.6, 16.7 to 16.7.4, and 16.8 to 16.8.1. To counter this threat, GitLab swiftly responded by releasing patches, which have been backported to versions 16.5.8, 16.6.6, 16.7.4, and 16.8.1.
In addition to addressing this critical flaw, GitLab’s latest update tackles four medium-severity vulnerabilities. These include potential risks related to regular expression denial-of-service (ReDoS), HTML injection, and the inadvertent disclosure of a user’s public email address through the tags RSS feed.
GitLab’s Ongoing Security Measures
This recent release follows GitLab’s commitment to ongoing security enhancements. In a previous update two weeks ago, GitLab addressed two critical shortcomings. One of these vulnerabilities, CVE-2023-7028 (CVSS score: 10.0), could be exploited to take over accounts without any user interaction. Reported by the security researcher ‘Asterion’ through the HackerOne bug bounty platform, this vulnerability was introduced on May 1, 2023, with version 16.1.0. Users are strongly advised to update to the patched versions (16.7.2, 16.5.6, and 16.6.4) or implement the fix backported to versions 16.1.6, 16.2.9, and 16.3.7.
Recommendations for Users
To mitigate potential risks associated with the CVE-2024-0402 vulnerability and others:
- Immediate Upgrade: Users are strongly advised to promptly upgrade their GitLab installations to the patched version.
- Ongoing Vigilance: Regularly monitor for security updates and apply them promptly to ensure protection against emerging threats.
- GitLab.com and Dedicated Environments: Acknowledge that GitLab.com and GitLab Dedicated environments are already running the latest version, emphasizing the importance of keeping software up-to-date for enhanced security measures.
Conclusion
The severity of the CVE-2024-0402 vulnerability underscores the critical importance of maintaining vigilance over system security. By promptly applying updates, users can fortify their GitLab installations against potential threats and contribute to a more secure software environment. GitLab’s commitment to swift responses and ongoing security measures reinforces the collaborative effort required to safeguard against cyber threats.
