Days after releasing a significant replace, GitLab rolled out one other emergency replace addressing a critical vulnerability affecting workspace creation. The service urged all customers to replace to the most recent releases on the earliest, assuring that the online and GitLab Devoted environments already run the patched variations.
GitLab Workspace Creation Vulnerability
Based on a latest put up, GitLab patched 5 vulnerabilities affecting the service, together with a vital severity flaw. As described, exploiting the vulnerability might enable arbitrary file write throughout workspace creation.
Whereas the advisory doesn’t elaborate on this vulnerability, CVE-2024-0402, it did spotlight its severity, mentioning its CVSS rating (9.9). This vital severity flaw caught the eye of GitLab’s staff member, compelling the service to launch the patch for all accessible variations. Actually, GitLab additionally backported this repair to variations 16.5.8, 16.6.6, 16.7.4, and 16.8.1.
Different GitLab Safety Fixes
Moreover, the opposite vulnerabilities addressed with the most recent replace embody the next medium severity points.
- CVE-2023-6159 (CVSS 6.5): Exploiting the vulnerability might enable an adversary to set off Common Expression Denial of Service (ReDoS) by way of a maliciously crafted enter containing
Cargo.toml. GitLab got here to know of this vulnerability by way of a HackerOne bug report.
- CVE-2023-5933 (CVSS 6.4): Improper enter sanitization of consumer title might enable arbitrary API PUT requests.
- CVE-2023-5612 (CVSS 5.3): The vulnerability existed on account of unwarranted publicity of consumer e-mail handle by way of tags even with disabled profile visibility settings.
- CVE-2024-0456 (CVSS 4.3): This vulnerability might let an unauthorized attacker assign arbitrary customers to MRs throughout the challenge.
The latest replace marks the second main safety launch from GitLab. Earlier this month, GitLab launched variations 16.7.2, 16.6.4, and 16.5.6 for each Neighborhood Version and Enterprise Version (CC/EE), patching a extreme zero-click vulnerability. Now that one other safety launch has been out, customers should replace their programs with the most recent variations to obtain all patches in time.
Tell us your ideas within the feedback.