GitLab has issued critical security fixes for both its Community Edition (CE) and Enterprise Edition (EE) to address a severe vulnerability (CVE-2024-0402) with a CVSS score of 9.9. This flaw could be exploited by authenticated users to write files to arbitrary locations on the GitLab server while creating a workspace. The affected versions range from 16.0 to 16.8.1, and patches have been backported to versions 16.5.8, 16.6.6, 16.7.4, and 16.8.1.
In addition to the critical issue, GitLab has also resolved four medium-severity flaws, including risks related to regular expression denial-of-service (ReDoS), HTML injection, and the exposure of a user's public email address through the tags RSS feed.
This latest update comes shortly after GitLab addressed two critical vulnerabilities, one of which could enable account takeovers without requiring user interaction (CVE-2023-7028, CVSS score: 10.0). Users of GitLab.com and GitLab Dedicated environments can rest assured, as these are confirmed to be running the latest version with the necessary fixes.
GitLab users are strongly advised to promptly upgrade their installations to the patched versions to mitigate potential security risks. The company emphasizes the importance of staying vigilant about security updates to ensure the robustness and integrity of GitLab installations.
0 comments:
Post a Comment