CVE-2024-0402

CRITICAL severity · CVSS 9.9 · Path traversal

9.9CVSS CRITICAL

Summary

An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredLow

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)45%

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products we track (1)

GitLab

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/Advisory
https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/437819
https://gitlab.com/gitlab-org/gitlab/-/issues/437819