Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

GitLab users warned of flaw that allows file overwrite — so update now

An abstract image of a lock against a digital background, denoting cybersecurity.

GitLab recently discovered a critical vulnerability in its Community Edition (CE) and Enterprise Edition (EE) instances, which could allow malicious actors to write arbitrary files while creating a workspace. 

In a security bulletin, GitLab said the vulnerability is quite serious and that users should apply the patch with utmost urgency.

The vulnerability affects all versions from 16.0 prior to 16.5.8, 16.6 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1, the project said in the announcement.

More bugs to patch

“This is a critical severity issue,” GitLab said, adding that it has been assigned a severity score of 9.9. “It is now mitigated in the latest release and is assigned CVE-2024-0402.”

The company also said the patch was backported to 16.5.8 besides 16.6.6, 16.7.4, and 16.8.1. “GitLab 16.5.8 only includes a fix for this vulnerability and does not contain any of the other fixes or changes mentioned in this blog post,” the announcement concluded. GitLab.com and GitLab Dedicated environments are said to already be running the upgraded version.

In the same advisory, GitLab also said it addressed four medium-severity flaws that could result in a regular expression denial-of-service (ReDoS), HTML injection, and the leaking of users’ public email addresses via the tags RSS feed.

This is not the first time GitLab users were urged to immediately apply a patch and fix a critical flaw. In September last year, GitLab said it found a flaw in scan execution policies to run pipelines (a series of automated tasks) as another user. 

This flaw was tracked as CVE-2023-4998 and carries a severity score of 9.6. It impacted a couple of versions of the software, namely GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 through 16.2.7, and versions 16.3 through 16.3.4.

Via The Hacker News

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.