CVE-2024-0402

high-risk
Published 2024-01-26

An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.

Do I need to act?

!
40.8% chance of exploitation in next 30 days
EPSS score — higher than 59% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 52a7a8b5e226b1a0c2d2f7e240bb75dd3cc3b9b5, 7da037032f0d42a455bbc7624c23bf64e637fb5e, bb0e47b487a5af315a14e4060c5297c70b3d6f13, 1242b44772043e8c0a7eb4dd7be2d7e6aa5ce029
9
CVSS 9.9/10 Critical
NETWORK / LOW complexity

Affected Products (4)

Affected Vendors

Gitlab

References (4)

Vendor Advisory https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16...
Broken Link https://gitlab.com/gitlab-org/gitlab/-/issues/437819
Vendor Advisory https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16...
Broken Link https://gitlab.com/gitlab-org/gitlab/-/issues/437819
60
/ 100
high-risk
Severity 33/34 · Critical
Exploitability 17/34 · Moderate
Exposure 10/34 · Low