Developers relying on GitLab's popular source code management platform need to act quickly to secure their implementations against multiple just-disclosed vulnerabilities.
A week ago, GitLab released a security update to fix a critical severity flaw that could allow an attacker to take over user accounts by resetting passwords without user interaction. Today company shipped urgent security releases for several of its Community and Enterprise Edition offerings to resolve critical and high severity flaws allowing unauthorized access.
Among the most glaring of these bugs is an arbitrary file write vulnerability that could let attackers completely compromise GitLab instances. With a CVSS severity score of 9.9 out of 10, the vulnerability tracked as CVE-2024-0402 represents a critical threat for the large number of organizations using vulnerable GitLab versions in production.
The critical issue allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace. Discovered internally by a GitLab security researcher, if exploited this could give hackers a foothold to steal data or distribute malware across corporate networks.
We strongly recommend that all installations running a version affected by the issues are upgraded to the latest version as soon as possible.- reads GitLab advisory
Also concerning is an input validation weakness that could open the door to denial-of-service attacks against GitLab servers. By sending maliciously crafted content to the Cargo.toml blob viewer, an attacker could trigger a regular expression denial of service condition.
While not enabling data access or system takeover, a successful regex DDoS attack could still interrupt availability and impact productivity for developers relying on GitLab services. And with many companies using GitLab to underpin their CI/CD pipelines, developers are flocking to the platform making it an increasingly high value target.
Among the other medium priority flaws now fixed is a subtle user profile API manipulation issue. By injecting HTML tags into their user name, an attacker could modify or delete API data after being viewed by an admin user. While requiring user interaction and privilege escalation, the bug still posed a data confidentiality threat.
Disclosure of private user email addresses through the GitLab RSS feed was also possible before this update. Non-members being able to modify merge requests could likewise break the integrity of some repositories.
Updating Mitigates Critical GitLab Security Risks
The latest GitLab point releases include patches for all these vulnerabilities and additional dependency updates and optimizations. With frequent releases, administrators must stay on top of updates to ensure security and benefit from new features.
The expansive functionality and growing user base of GitLab make it an enticing target for attackers. Organizations relying on vulnerable versions are exposed to unacceptable levels of risk until they upgrade. Developers and DevOps teams should update to the latest GitLab releases as soon as possible to protect their pipelines and source code.