GitLab patches another critical vulnerability

Popular source code management platform GitLab was patched on Friday, Australian time, against five vulnerabilities, including one with a critical severity rating.

The patches apply to both the enterprise and the community editions of GitLab.

The critical vulnerability is CVE-2024-0402 and carries a CVSS score of 9.9.

Discovered by GitLab employee Joern Schneeweisz, the bug “allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace”.

This means an attacker could exploit the vulnerability to distribute malware as well as to steal data.

It affects “all versions from 16.0 prior to 16.5.8, 16.6 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1”, GitLab said in its advisory, with the vulnerability fixed in version 16.8.1; the fix has also been backported to version 16.5.8.

Earlier this month, GitLab addressed a critical account takeover bug.

The four medium-rated vulnerabilities fixed in last week’s release are:

• CVE-2023-6159 – A denial-of-service triggered by a malicious regular expression in a Cargo manifest;
• CVE-2023-5933 – Improper input sanitization of username allows arbitrary API PUT requests;
• CVE-2023-5612 – Disclosure of user emails via the Tags RSS feed; and
• CVE-2024-0456 – An unauthorised attacker can assign any user to merge requests in a project.

Two third-party packages, the libxml2 library and redis, have also been patched against vulnerabilities.