Self-managed GitLab installations should be patched again (CVE-2024-0402)

Less than two weeks after having plugged a security hole that allows account takeover without user interaction, GitLab Inc. has patched a critical vulnerability (CVE-2024-0402) in GitLab CE/EE again and is urging users to update their installations immediately.

GitLab Inc. operates GitLab.com (a web-based Git repository) and develops GitLab Community Edition (CE) and Enterprise Edition (EE), a widely used software development platform with built-in version control, issue tracking, code review, etc.

As a self-managed platform, GitLab can be deployed on on-prem servers, Kubernetes, or with a cloud provider.

About CVE-2024-0402

CVE-2024-0402 is a vulnerability that may allow an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace. Presumably, this vulnerability could therefore also be exploited to deliver malware.

Discovered by a GitLab team member, CVE-2024-0402 has been fixed in GitLab CE/EE versions 16.5.8, 16.6.6, 16.7.4, and 16.8.1. (GitLab v16.8 was released earlier this month.)

Other security bugs fixed in these releases

At the same time, the company has also plugged four medium severity holes that may allow attackers to:

• Gain access to or expose sensitive data (CVE-2023-5933, CVE-2023-5612)
• Trigger a DoS condition (CVE-2023-6159), and
• Assign arbitrary users to merge requests that they created within the project (CVE-2024-0456)

It has to be noted, though, that while GitLab CE/EE versions 16.5.8, 16.6.6, and 16.7.4 contain patches for all of the aforementioned flaws, version 16.8.1 has only the patch for CVE-2024-0402.

“GitLab.com and GitLab Dedicated environments are already running the patched version,” the company has added.