Self-managed GitLab installations should be patched again (CVE-2024-0402)
Less than two weeks after having plugged a security hole that allows account takeover without user interaction, GitLab Inc. has patched a critical vulnerability (CVE-2024-0402) in GitLab CE/EE again and is urging users to update their installations immediately.
GitLab Inc. operates GitLab.com (a web-based Git repository) and develops GitLab Community Edition (CE) and Enterprise Edition (EE), a widely used software development platform with built-in version control, issue tracking, code review, etc.
As a self-managed platform, GitLab can be deployed on on-prem servers, Kubernetes, or with a cloud provider.
CVE-2024-0402 is a vulnerability that may allow an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace. Presumably, this vulnerability could therefore also be exploited to deliver malware.
Other security bugs fixed in these releases
At the same time, the company has also plugged four medium severity holes that may allow attackers to:
- Gain access to or expose sensitive data (CVE-2023-5933, CVE-2023-5612)
- Trigger a DoS condition (CVE-2023-6159), and
- Assign arbitrary users to merge requests that they created within the project (CVE-2024-0456)
It has to be noted, though, that while GitLab CE/EE versions 16.5.8, 16.6.6, and 16.7.4 contain patches for all of the aforementioned flaws, version 16.8.1 has only the patch for CVE-2024-0402.
“GitLab.com and GitLab Dedicated environments are already running the patched version,” the company has added.