GitLab released multiple patches in its recent advisory published to fix a critical security issue along with four other security flaws on January 11th. Both Community and Enterprise Editions (CE & EE) are affected by these vulnerabilities, and patches have been released for the same in versions 16.8.1, 16.7.4, 16.6.6, and 16.5.8.
Critical Vulnerability: Arbitrary file write while creating workspace (CVE-2024-0402)
A critical security flaw was found in GitLab CE/EE applications that allowed unauthenticated attackers to write any file to arbitrary locations in the GitLab server while creating a workspace (virtual sandbox environment). This vulnerability is assigned with ID CVE-2024-0402 and has secured a CVSS score of 9.9. The flaw is said to have been found by a GitLab team member.
Affected versions: 6.0.x before 16.5.8, 16.6.x before 16.6.6, 16.7.x before 16.7.4, and 16.8.x before 16.8.1.
Medium severity Vulnerability: ReDoS in Cargo.toml blob viewer (CVE-2023-6159)
This vulnerability is tracked with the ID CVE-2023-6159 and has received a CVSS score of 6.5, which is a medium-severity security flaw. The attackers can conduct this attack using a maliciously crafted input in Cargo.toml file. It can cause a Regular Expression of Denial of Service.
Affected versions: 12.7.x before 16.6.6, 16.7.x before 16.7.4, and 16.8.x before 16.8.1
Medium severity Vulnerability: Arbitrary API PUT requests via HTML injection in the user’s name (CVE-2023-5933)
This vulnerability is tracked with the ID CVE-2023-5933 and has received a CVSS score of 6.4, a medium-severity security flaw. Here, the attackers can send arbitrary API PUT requests using the Improper input sanitization of the user name issue existing in the vulnerable instances of GitLab.
Affected versions: All versions after 13.7.x before 16.6.6, 16.7.x before 16.7.4, and 16.8.x before 16.8.1
Medium severity Vulnerability: Disclosure of the public email in Tags RSS Feed (CVE-2023-5612)
This vulnerability is tracked with the ID CVE-2023-5612 and has received a CVSS score of 5.3, a medium-severity security flaw. On successful exploitation of this issue, attackers were able to read the user’s email address using the tags feed even when the visibility was disabled in the user profile.
Affected versions: All versions before 16.6.6, 16.7.x before 16.7.4, and 16.8.x before 16.8.1
Medium severity Vulnerability: Non-Member can update MR Assignees of owned MRs (CVE-2024-0456)
This vulnerability is tracked with the ID CVE-2024-0456 and has received a CVSS score of 4.3, a medium-severity security flaw. Successful exploitation of this vulnerability allows an unauthorized attacker to assign arbitrary users as assignees to the MRs (Merge Requests) created within that project.
Affected versions: 14.0.x before 16.6.6, 16.7.x before 16.7.4, and 16.8.x before 16.8.1
Solution:
GitLab strongly recommends users upgrade their applications to the following patch versions to stay protected from these critical and other vulnerabilities:
- 16.8.1
- 16.7.4
- 16.6.6
- 16.5.8
SanerNow security feed has been published to detect these vulnerabilities. We strongly recommend updating the GitLab application with the latest versions as soon as possible.