Gitlab has recently published corrective updates for its platform, addressing multiple vulnerabilities. The updates include Gitlab versions 16.8.1, 16.7.4, 16.6.6, and 16.5.8, and aim to fix a total of five vulnerabilities. Among these vulnerabilities is one that has been assigned a critical level of danger, known as CVE-2024-0402.
The critical vulnerability allows an unauthorized user to write files to any directory on the server, as permitted by the access rights set for the Gitlab Web interface. This vulnerability has been present since the release of Gitlab 16.0.
The vulnerability is a result of an error in the implementation of the Workspace creation function. This error is triggered when parsing Devfile parameters set in an incorrect YAML format. A patch has been released to address the issue. The solution involves transforming YAML into JSON and checking for the presence of correct structures in YAML that are not acceptable in JSON, due to the use of certain Unicode symbols.
Gitlab plans to release detailed information about the vulnerability 30 days after the correction has been published. The vulnerability was discovered during an internal check conducted by one of Gitlab’s employees, Gillab.