Vulnerability overview
GitLab has once again released a security patch to fix a critical security vulnerability in its Community Edition (CE) and Enterprise Edition (EE) that can be used to write arbitrary files when creating workspaces.
This vulnerability number is CVE-2024-0402, whose CVSS score is 9.9 out of 10.
In a bulletin posted on January 25, 2024, GitLab stated, "An issue has been identified in GitLab CE/EE affecting all versions below 16.5.8, 16.6.6, 16.7.4, and 16.8.1, which allows an authenticated user to write files to an server to an arbitrary location."
Affected versions
- GitLab CE/EE all versions below 16.5.8, 16.6.6, 16.7.4 and 16.8.1
safety risk
- An attacker who successfully exploited this vulnerability could write arbitrary files on the GitLab server to plant malicious code, steal sensitive data, or destabilize the system.
Restoration program
- Upgrade your GitLab instance to a version that fixes the vulnerability now:
- GitLab CE/EE 16.5.8
- GitLab CE/EE 16.6.6
- GitLab CE/EE 16.7.4
- GitLab CE/EE 16.8.1
- If an immediate upgrade is not possible, take the following mitigation measures:
- Restricts the permissions of users who can create workspaces.
- Closely monitor system activity and take action on suspicious behavior.
Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/gitlab-workspace-creation-vulnerability-allows-file-overwrite.html
