Cloud Security, Patch/Configuration Management, DevSecOps
2nd critical GitLab patch of 2024 fixes arbitrary file writing bug

(Credit: monticellllo - stock.adobe.com)
A GitLab vulnerability enabling file writing to arbitrary locations on a server was patched last Thursday, two weeks after the company patched a critical account takeover bug.The latest vulnerability, tracked as CVE-2024-0402, received a CVSS score of 9.9 and allows authenticated users to write files anywhere on a GitLab server while creating a workspace. This ability is due to a path traversal flaw, in which users can manipulate pathnames to access locations outside of a restricted directory.CVE-2024-0402 impacts all versions of GitLab Community Edition and Enterprise Edition from 16.0 prior to 16.5.8, 16.6 prior to 16.6.6, 16.7 prior to 16.7.4 and 16.8 prior to 16.8.1, the company said in its advisory.A GitLab spokesperson told SC Media Wednesday that it had no indication CVE-2024-0402 has been exploited in the wild. The company declined to share further details about the vulnerability, noting more technical details would be disclosed publicly via GitLab’s issue tracker 30 days after the patch release, per GitLab’s Coordinated Disclosure Process. CVE-2024-0402 was discovered internally by GitLab Security Researcher Joern Schneeweisz.
An In-Depth Guide to Cloud Security
Get essential knowledge and practical strategies to fortify your cloud security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds