CVE-2024-0402

CRITICAL

Gitlab < 16.5.8 - Path Traversal

Title source: rule

Description

An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.

Exploits (1)

nomisec WORKING POC 15 stars

by doyensec · poc

https://github.com/doyensec/malicious-devfile-registry

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/

[Broken Link] https://gitlab.com/gitlab-org/gitlab/-/issues/437819

Scores

CVSS v3 9.9

EPSS 0.4077

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Classification

CWE

CWE-22

Status published

Affected Products (4)

gitlab/gitlab < 16.5.8

gitlab/gitlab < 16.5.8

gitlab/gitlab

gitlab/gitlab

Timeline

Published Jan 26, 2024

Tracked Since Feb 18, 2026