TRIAGE Critical Alert - GitLab Critical Flaw in Community and Enterprise Editions
James Beal
Security Architect and Threat Intelligence Researcher, Aeterneus Intel Founder. TRIAGE'ing the evolving threat landscape to help Infosec Teams and Execs keep their organizations safe!
TRIAGE
A few weeks after the last critical vulnerabilities were discovered, GitLab releases fixes for another critical security flaw (CVSS 9.9) in the Community Edition and Enterprise Editions. Patch immediately to the latest editions if you are running either edition locally. Gitlab.com and GitLab Dedicated have already been updated to the latest versions.
Area of Impact
Per GitLab's latest Security release page:
Today we are releasing versions 16.8.1, 16.7.4, 16.6.6, 16.5.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
Overview
From the NVD:
An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.
Recommendation
Update to the latest versions if you are running an older version of either Community Edition or Enterprise Edition software.