CVE-2024-0402 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') i

Description

An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.

How to fix CVE-2024-0402

To remediate CVE-2024-0402, upgrade the affected package to a fixed version below.

—upgrade to 16.5.8 or later

Is CVE-2024-0402 being exploited?

Moderate — EPSS is 44.6%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 16.0.0, < 16.5.8, >= 16.6.0, < 16.6.6, >= 16.7.0, < 16.7.4, >= 16.8.0, < 16.8.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (3)

WEBabout.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/
WEBgitlab.com/gitlab-org/gitlab/-/issues/437819
WEBnvd.nist.gov/vuln/detail/CVE-2024-0402