Patch Up or Pack Up: GitLab Rolls Out Critical Fix for CVE-2024-0402 with a Near-Perfect Danger Score

Need a quick fix? GitLab’s got you covered with their latest patch for a file-fiddling flaw so critical, it scored a 9.9 in digital gymnastics. Update now or risk a cyber belly-flop! #GitLabPatchAlert

Hot Take:

Well, it looks like GitLab’s been doing more patching than a pirate with a penchant for roughhousing! CVE-2024-0402 just dropped a near-perfect score on the “Oh, Snap!” scale with a 9.9 CVSS rating. Brace yourselves, GitLabbers—it’s time to hit that update button faster than you can say “arbitrary file overwrite vulnerability” three times fast!

Key Points:

  • GitLab just patched a whopper: CVE-2024-0402, with an “I’m-almost-a-10” CVSS score of 9.9.
  • This big bad bug could let authenticated users redecorate your server’s file system like it’s their own digital dollhouse.
  • Affected versions include everything before 16.5.8, 16.6.6, 16.7.4, and 16.8.1—basically, a lot of numbers to keep in your noggin.
  • Not to be overshadowed, four medium-severity flaws also got squashed, tackling everything from ReDoS to unintentional email peepshows via RSS.
  • If you’re using GitLab, it’s time to upgrade like your cyber-safety depends on it—because it does!
Cve id: CVE-2024-0402
Cve state: PUBLISHED
Cve assigner short name: GitLab
Cve date updated: 01/26/2024
Cve description: An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.

Cve id: CVE-2023-7028
Cve state: PUBLISHED
Cve assigner short name: GitLab
Cve date updated: 01/12/2024
Cve description: An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.

Need to know more?

GitLab's Game of Patches

GitLab's been busy playing whack-a-mole with pesky vulnerabilities, and CVE-2024-0402 is the latest mole to pop up. But this isn't just any mole—it's Godzilla-sized, threatening to trample your security measures with the finesse of a bull in a digital china shop. GitLab's advisory from January 25, 2024, reads like a horror story for servers everywhere, with an authenticated user-turned-villain who can write files wherever they please.

Version Confusion Resolution

If you're dizzy from version vertigo, fear not! GitLab has backported patches to versions 16.5.8, 16.6.6, 16.7.4, and 16.8.1. So, if your version number looks like one of those, you're in the clear. If not, well, you might want to get on that. Like, yesterday.

The Understudies Steal the Show

But wait—there's more! Four medium-severity issues also stepped into the spotlight, vying for attention with their own acts of cyber-sabotage. We've got a ReDoS that could slow your systems to a crawl, an HTML injection that's just begging for a malicious makeover, and a sneaky RSS feed ready to gossip about your public email address. Drama, drama, drama!

The Update Encore

Just when you thought it was safe to go back in the water, GitLab is back on stage with an encore, reminding users to upgrade faster than you can blink an "I'm vulnerable" Morse code message. They've already got GitLab.com and GitLab Dedicated strutting their stuff in the latest, most secure versions—so what are you waiting for? It's update time!

GitLab's Preemptive Strike

And let's not forget, this latest update comes hot on the heels of a previous patch parade that addressed two other critical issues, including the dreaded CVE-2023-7028. With a CVSS score of a perfect 10, that vulnerability could hijack accounts without so much as a "please" or "thank you." GitLab's really putting the "Sec" in DevSecOps, and for that, we can all sleep a little more soundly—at least until the next vulnerability rears its head.

Tags: arbitrary file write vulnerability, CVE-2024-0402, CVSS score, DevSecOps Platform, GitLab security patch, GitLab version upgrade, software vulnerability fix