GitLab 'strongly recommends' patching max severity flaw ASAP

MuzzMelbourne

Level 15
Thread author
Verified
Top Poster
Well-known
Mar 13, 2022
599
GitLab has released an emergency security update, version 16.0.1, to address a maximum severity (CVSS v3.1 score: 10.0) path traversal flaw tracked as CVE-2023-2825.

GitLab is a web-based Git repository for developer teams that need to manage their code remotely and has approximately 30 million registered users and one million paying customers.

The vulnerability addressed in the latest update was discovered by a security researcher named 'pwnie,' who reported the issue on the project's HackOne bug bounty program.

It impacts GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0, but all versions older than this aren't affected.

The flaw arises from a path traversal problem that allows an unauthenticated attacker to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.

The exploitation of CVE-2023-2825 could expose sensitive data, including proprietary software code, user credentials, tokens, files, and other private information.

This prerequisite suggests that the issue relates to how GitLab manages or resolves paths for attached files nested within several levels of group hierarchy. However, due to the criticality of the problem and the freshness of its discovery, not many details were disclosed by the vendor this time.

Instead, GitLab highlighted the importance of applying the latest security update without delay.

"We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible," reads GitLab's security bulletin.
 
  • Applause
Reactions: vtqhtr413

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top