GitLab has released a patch to address a critical security vulnerability discovered in two of its products, and users are advised to apply it immediately.
GitLab is a DevOps software package that allows users to develop, secure, and run software used by developer teams who need to manage their code remotely. It has 30 million registered users, including a million paying customers.
The company recently discovered CVE-2023-2825, a path traversal flaw. When certain conditions are met, this vulnerability allows unauthenticated attackers to read arbitrary files on the server. As a result, threat actors could read sensitive data from vulnerable endpoints such as proprietary software code, user credentials, and more. There are no additional details available at this time, with GitLab stating that more information will be available a month after the patch.
The silver lining
The flaw was assigned a severity of 10/10 and was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0. Although not all older versions are affected, GitLab still recommends that users apply the fix and update the tools to version 16.0.1.
“We strongly advise that all installations running a version affected by the issues described below be upgraded to the latest version as soon as possible,” GitLab said in a security advisory released alongside the fix. “When no specific deployment type of a product (omnibus, source code, helm chart, etc.) is mentioned, this means that all types are affected.”
According to the researchers, an attachment in a public project nested within at least five groups is required to exploit the flaw. The silver lining is that this structure is not found in all GitHub projects. Nonetheless, the company urged everyone to install the patch because there are no workarounds for the flaw and there is simply too much at stake.
The user should follow the instructions found here to update the GitLab installation.
Make sure to get one of the best firewalls right now to keep your premises secure.
Via: BleepingComputer
