Cyber Resilience

CVE-2024-0402

Critical

Published: 26 January 2024

Published
26 January 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.4459 97.7th percentile
Risk Priority 47 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-0402 is a critical-severity Path Traversal (CWE-22) vulnerability in Gitlab Gitlab. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-0402 is a path traversal vulnerability (CWE-22) in GitLab Community Edition and Enterprise Edition. It affects all versions from 16.0 prior to 16.6.6, from 16.7 prior to 16.7.4, and from 16.8 prior to 16.8.1, and permits an authenticated user to write files to arbitrary locations on the GitLab server during workspace creation. The flaw carries a CVSS 3.1 score of 9.9, reflecting network attack vector, low complexity, low privileges required, and changed scope with high impact on confidentiality, integrity, and availability.

An authenticated attacker can exploit the issue while creating a workspace to place files anywhere on the underlying server filesystem. Successful exploitation can therefore result in full control over application data and configuration, enabling further compromise of the GitLab instance and any connected resources.

GitLab’s critical security release of 25 January 2024 addresses the vulnerability by shipping fixed versions 16.6.6, 16.7.4, and 16.8.1; administrators are advised to upgrade immediately. The associated EPSS score has reached a peak of 0.4518 with a current value of 0.4459, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server…

more

while creating a workspace.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gitlab
gitlab
16.8.0 · 16.0.0 — 16.5.8 · 16.0.0 — 16.5.8 · 16.6.0 — 16.6.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References