GitLab has once again found itself in the spotlight, this time for a critical security flaw affecting both its Community Edition (CE) and Enterprise Edition (EE). This glitch, dubbed CVE-2024-0402, has raised eyebrows with its hefty CVSS score of 9.9 out of 10.
According to GitLab’s latest advisory released on January 25, 2024, the vulnerability rears its ugly head in versions ranging from 16.0 to 16.8.1. It’s a sneaky one, allowing authenticated users to sneakily scribble files into random corners of the GitLab server while innocently creating a workspace. Crafty, huh?
But fear not, dear GitLab users! The good folks at GitLab have swooped in with their capes, armed with patches that have been backported to versions 16.5.8, 16.6.6, 16.7.4, and 16.8.1. They’re basically the cybersecurity superheroes we never knew we needed.
And that’s not all! GitLab has also mopped up four other pesky flaws lurking in the shadows. These included vulnerabilities that could potentially lead to a ReDoS attack (no, it’s not a new energy drink), HTML injection (because who doesn’t love a little extra HTML in their morning coffee?), and even the inadvertent revelation of a user’s public email address via the tags RSS feed. Talk about oversharing!
This latest update comes hot on the heels of GitLab’s previous scramble to fix two critical blunders just two weeks ago. One of those bugs had the audacity to think it could take over accounts without so much as a “hello” from the user (CVE-2023-7028, with a jaw-dropping CVSS score of 10.0). GitLab users, it seems, have been on quite the rollercoaster ride lately.
So, what’s the takeaway from all this? Well, if you’re a GitLab user, it’s time to roll up those sleeves and hit that upgrade button faster than you can say “cybersecurity shenanigans.” After all, ain’t nobody got time for hackers hijacking their workspace or slurping up their email addresses. And remember, GitLab.com and GitLab Dedicated environments are already ahead of the game, so no need to panic – just upgrade, sit back, and let the cybersecurity superheroes do their thing!