A GitLab vulnerability enabling file writing to arbitrary locations on a server was patched last Thursday, two weeks after the company patched a critical account takeover bug.
The latest vulnerability, tracked as CVE-2024-0402, received a CVSS score of 9.9 and allows authenticated users to write files anywhere on a GitLab server while creating a workspace. This ability is due to a path traversal flaw, in which users can manipulate pathnames to access locations outside of a restricted directory.
CVE-2024-0402 impacts all versions of GitLab Community Edition and Enterprise Edition from 16.0 prior to 16.5.8, 16.6 prior to 16.6.6, 16.7 prior to 16.7.4 and 16.8 prior to 16.8.1, the company said in its advisory.
A GitLab spokesperson told SC Media Wednesday that it had no indication CVE-2024-0402 has been exploited in the wild. The company declined to share further details about the vulnerability, noting more technical details would be disclosed publicly via GitLab’s issue tracker 30 days after the patch release, per GitLab’s Coordinated Disclosure Process.
CVE-2024-0402 was discovered internally by GitLab Security Researcher Joern Schneeweisz.
Thousands of GitLab servers still at risk from critical CVEs
The path traversal bug is the second critical vulnerability patched by GitLab in 2024. The company released an advisory Jan. 11 for CVE-2023-7028, a CVSS 10-scored bug that could allow account takeover via the password reset process.
The Shadowserver Foundation, which tracks malicious activity and vulnerabilities online, previously said it detected more than 5,300 GitLab instances vulnerable to CVE-2023-7028 on Jan. 23. As of Jan. 30, Shadowserver’s dashboard showed 4,826 GitLab instances still running unpatched versions.
Shadowserver CEO Piotr Kijewski told SC Media that while the organization is not currently scanning for CVE-2024-0402, it is most likely that instances still vulnerable CVE-2023-7028 are also vulnerable to the latest bug.
“The total CVE-2024-0402 population will be expected to be higher, however,” Kijewski said.
Exploitation of CVE-2024-0402 requires an attacker to be authenticated and have sufficient permissions to create a GitLab workspace.
GitLab workspaces are cloud-based environments for remote development first made available as a beta feature for users of paid GitLab versions in May 2023, and generally available to users of paid versions with the release of version 16.8 on Jan. 18. A user must have at least a “Developer” role to set up a workspace.
Considering that attackers can takeover GitLab accounts using CVE-2023-7028 with no user interaction, servers that have gone unpatched since early January could be at risk of chained exploitation with CVE-2024-0402.
While path traversal and file writing are possible in a successful CVE-2024-0402 exploit, it is unclear whether the bug would enable remote code execution (RCE).