GitLab releases emergency security patch, tells users to update immediately

A 10/10 vulnerability was recently discovered in GitLab

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

GitLab has published a fix for a critical security vulnerability found in two of its products, with users told to apply the patch immediately.

GitLab is a DevOps software package allowing users to develop, secure, and operate software used by developer teams that need to manage their code remotely, and has some 30 million registered users, including a million paying customers.

The company recently discovered a path traversal flaw, tracked as CVE-2023-2825. This vulnerability allows unauthenticated attackers to read arbitrary files on the server, when certain conditions are met. As a result, threat actors could read sensitive data such as proprietary software code, user credentials, and more, from vulnerableendpoints. No more details are available at this time, with GitLab saying it would say more a month after the patch.

Silver lining

The flaw was given a severity score of 10/10, and was found in GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0. Not all older versions are affected, but GitLab still recommends users apply the fix and bring the tools up to version 16.0.1.

“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible,” GitLab said in a security advisory, published together with the fix. “When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.”

Hybrid working could be a catastrophic mistake>When open source is done right, the sky’s the limit>These are the best ID theft protection tools at the moment

To exploit the flaw, there needs to be an attachment in a public project nested within at least five groups, the researchers said. The silver lining here is that this isn’t the structure found in all GitHub projects. Nevertheles, the company urged everyone to apply the fix, as there are no workarounds for the flaw, and there’s simply too much at stake.

To update the GitLab installation, user should follow the instructions foundhere.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)