GitLab Patched A Workspace Creation Vulnerability With An Emergency Update

Days after releasing a major update, GitLab rolled out another emergency update addressing a serious vulnerability affecting workspace creation. The service urged all users to update to the latest releases at the earliest, assuring that the web and GitLab Dedicated environments already run the patched versions.

GitLab Workspace Creation Vulnerability

According to a recent post, GitLab patched five vulnerabilities affecting the service, including a critical severity flaw. As described, exploiting the vulnerability could allow arbitrary file write during workspace creation.

While the advisory doesn’t elaborate on this vulnerability, CVE-2024-0402, it did highlight its severity, mentioning its CVSS score (9.9). This critical severity flaw caught the attention of GitLab’s team member, compelling the service to release the patch for all available versions. In fact, GitLab also backported this fix to versions 16.5.8, 16.6.6, 16.7.4, and 16.8.1.

Other GitLab Security Fixes

Besides, the other vulnerabilities addressed with the latest update include the following medium severity issues.

  • CVE-2023-6159 (CVSS 6.5): Exploiting the vulnerability could allow an adversary to trigger Regular Expression Denial of Service (ReDoS) via a maliciously crafted input containing Cargo.toml. GitLab came to know of this vulnerability through a HackerOne bug report.
  • CVE-2023-5933 (CVSS 6.4): Improper input sanitization of user name could allow arbitrary API PUT requests.
  • CVE-2023-5612 (CVSS 5.3): The vulnerability existed due to unwarranted exposure of user email address via tags even with disabled profile visibility settings.
  • CVE-2024-0456 (CVSS 4.3): This vulnerability could let an unauthorized attacker assign arbitrary users to MRs within the project.

The recent update marks the second major security release from GitLab. Earlier this month, GitLab released versions 16.7.2, 16.6.4, and 16.5.6 for both Community Edition and Enterprise Edition (CC/EE), patching a severe zero-click vulnerability. Now that another security release has been out, users must update their systems with the latest versions to receive all patches in time.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients