GitLab releases emergency security patch, tells users to update immediately

GitLab has published a fix for a critical security vulnerability found in two of its products, with users told to apply the patch immediately. 

GitLab is a DevOps software package allowing users to develop, secure, and operate software used by developer teams that need to manage their code remotely, and has some 30 million registered users, including a million paying customers. 

The company recently discovered a path traversal flaw, tracked as CVE-2023-2825. This vulnerability allows unauthenticated attackers to read arbitrary files on the server, when certain conditions are met. As a result, threat actors could read sensitive data such as proprietary software code, user credentials, and more, from vulnerable endpoints. No more details are available at this time, with GitLab saying it would say more a month after the patch.

Silver lining

The flaw was given a severity score of 10/10, and was found in GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0. Not all older versions are affected, but GitLab still recommends users apply the fix and bring the tools up to version 16.0.1.

“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible,” GitLab said in a security advisory, published together with the fix. “When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.”

To exploit the flaw, there needs to be an attachment in a public project nested within at least five groups, the researchers said. The silver lining here is that this isn’t the structure found in all GitHub projects. Nevertheles, the company urged everyone to apply the fix, as there are no workarounds for the flaw, and there’s simply too much at stake.

To update the GitLab installation, user should follow the instructions found here. 

• To keep your premises secure, make sure to grab one of the best firewalls right now

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.