Gitlab recently discovered a critical vulnerability in its Community Edition (CE) and Enterprise Edition (EE) instances that could allow a malicious actor to write arbitrary files when creating a workspace.
In the security advisory, GitLab stated that the vulnerability is very serious and that users should apply the patch as the most urgent thing.
The project said in the advisory that the vulnerability affects from 160 to6 to . .7 to 167.4 and 168.1 to 168.1 for all versions.
This is a serious problem," said gitlab, adding that it has a severity score of 99。"It is now mitigated in the latest version and has been assigned CVE-2024-0402. ”
The company also said that in addition to . .7.4 and 168.In addition to 1, the patch was also backported to 165.8。“gitlab 16.5.8 contains only a fix for this vulnerability and does not contain any other fixes or changes mentioned in this blog post," the advisory concluded. Said gitlabThe COM and Gitlab dedicated environments are already running upgraded versions.
In the same announcement, GitLab also stated that it addresses four medium-severity flaws that could lead to a regular expression denial of service (RedOS), HTML injection, and the disclosure of a user's public email address via a tagged RSS feed.
This isn't the first time Gitlab users have been urged to apply patches and fix critical flaws right away. Last September, Gitlab said it found a flaw in its scan execution strategy that prevented it from running a pipeline (a series of automated tasks) as another user.
This defect is tracked as CVE-2023-4998 with a severity score of 96。It affects several versions of the software, namely Gitlab Community Edition (CE) and Enterprise Edition (EE) version 1312 to 162.7, and version 163 to 163.4。