Security Advisory

GitLab CE/EE Product Security Update Advisory (CVE-2024-0402, CVE-2023-6159, CVE-2023-5933, CVE-2023-5612, CVE-2024-0456)

  • Jan 25 2024

Overview

An update has been made available to fix vulnerabilities in GitLab (https://about.gitlab.com/) Community Edition (CE) and Enterprise Edition (EE). Users of those versions are advised to update to the latest version.

 

Affected Products

CVE-2024-0402

  • 16.versions 0 through 16.5.8 and earlier
  • 16.6 through before 16.6.6
  • 16.7 through before 16.7.4 
  • 16.8 through before 16.8.1 
     

CVE-2023-6159

  • 12.7 before 16.6.6
  • 16.7 through before 16.7.4 
  • 16.8 before 16.8.1
     

CVE-2023-5933

  • 13.7 before 16.6.6
  • 16.7 through before 16.7.4 
  • 16.8 through before 16.8.1 
     

CVE-2023-5612

  • 16.all versions prior to 6.6
  • 16.7 through before 16.7.4 
  • 16.8 through before 16.8.1 
     

CVE-2024-0456

  • 14.0 through before 16.6.6 
  • 16.7 through before 16.7.4 
  • 16.8 before 16.8.1

 

Resolved Vulnerabilities

CVE-2024-0402

  • arbitrary file write vulnerability during workspace creation
     

CVE-2023-6159

  • ReDoS vulnerability in the Cargo.toml blob viewer

 

CVE-2023-5933

  • arbitrary API PUT request vulnerability via HTML injections in username

 

CVE-2023-5612

  • Public email information disclosure vulnerability in tags in RSS feeds

 

CVE-2024-0456

  • non-member user access to update MR contact information privilege vulnerability

 

Vulnerability Patches

a vulnerability patch was made available in the January 25, 2024 update. Please follow the instructions on the reference site to update to the latest vulnerability patch version.

CVE-2024-0402

  • 16.version 5.8
  • 16.version 6.6
  • 16.version 7.4
  • 16.version 8.1
     

CVE-2023-6159, CVE-2023-5933, CVE-2023-5612, CVE-2024-0456

  • 16.version 6.6
  • 16.version 7.4
  • 16.version 8.1

 

references

[1] CVE-2024-0402 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-0402   
[2] CVE-2023-6159 Detail
https://nvd.nist.gov/vuln/detail/CVE-2023-6159 
[3] CVE-2023-5933 Detail
https://nvd.nist.gov/vuln/detail/CVE-2023-5933 
[4] CVE-2023-5612 Detail
https://nvd.nist.gov/vuln/detail/CVE-2023-5612 
[5] CVE-2024-0456 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-0456 
[6] GitLab Critical Security Release: 16.8.1, 16.7.4, 16.6.6, 16.5.8
https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/ 

Tags:

Previous Post

Next Post