GitLab releases emergency security patch, tells users to update immediately

Sead Fadilpašić

May 25, 2023 at 1:22 PM·2 min read

GitLab has published a fix for a critical security vulnerability found in two of its products, with users told to apply the patch immediately.

GitLab is a DevOps software package allowing users to develop, secure, and operate software used by developer teams that need to manage their code remotely, and has some 30 million registered users, including a million paying customers.

The company recently discovered a path traversal flaw, tracked as CVE-2023-2825. This vulnerability allows unauthenticated attackers to read arbitrary files on the server, when certain conditions are met. As a result, threat actors could read sensitive data such as proprietary software code, user credentials, and more, from vulnerable endpoints. No more details are available at this time, with GitLab saying it would say more a month after the patch.

Silver lining

The flaw was given a severity score of 10/10, and was found in GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0. Not all older versions are affected, but GitLab still recommends users apply the fix and bring the tools up to version 16.0.1.

"We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible," GitLab said in a security advisory, published together with the fix. "When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected."

> Hybrid working could be a catastrophic mistake

> When open source is done right, the sky's the limit

> These are the best ID theft protection tools at the moment

To exploit the flaw, there needs to be an attachment in a public project nested within at least five groups, the researchers said. The silver lining here is that this isn’t the structure found in all GitHub projects. Nevertheles, the company urged everyone to apply the fix, as there are no workarounds for the flaw, and there’s simply too much at stake.

To update the GitLab installation, user should follow the instructions found here.

To keep your premises secure, make sure to grab one of the best firewalls right now

Via: BleepingComputer

Yahoo Sports
WNBA Draft winners and losers: As you may have guessed, the Fever did pretty well. The Liberty? Perhaps not
Here are five franchises who stood out, for better or for worse.
7h ago
Yahoo Sports
Boban Marjanović hilariously misses free throws on purpose to give Clippers fans free chicken
Boban Marjanović is a man of the people.
1d ago
Yahoo Sports
Nike responds to backlash over Team USA track kits, notes athletes can wear shorts
The new female track uniform looked noticeably skimpy at the bottom in one picture, which social media seized upon.
2d ago
Yahoo Sports
Yankees pitcher Fritz Peterson, infamous for trading wives with a teammate, dies at 82
Former New York Yankees left-hander Fritz Peterson died at the age of 82. He is probably best known exchanging wives with teammate Mike Kekich in the 1970s.
2d ago
Yahoo Sports
2024 Masters payouts: How much did Scottie Scheffler earn for his win at Augusta National?
The Masters has a record $20 million purse this year.
1d ago
Yahoo Sports
Rob Gronkowski's first pitch before the Red Sox's Patriots' Day game was typical Gronk
Never change, Gronk.
19h ago
Yahoo Sports
UFC 300: 'We're probably gonna get sued' after Arman Tsarukyan appeared to punch fan during walkout
'We'll deal with that Monday,' Dana White said about Arman Tsarukyan appearing to punch a fan during his UFC 300 walkout.
2d ago
Yahoo Sports
76ers' statue for Allen Iverson draws jokes, outrage due to misunderstanding: 'That was disrespectful'
Iverson didn't get a life-size statue. Charles Barkley and Wilt Chamberlain didn't either.
4d ago
Yahoo Sports
Mock Draft Monday with Daniel Jeremiah: Bears snag Odunze, Raiders grab a QB
It's another edition of 'Mock Draft Monday' on the pod and who better to have on then the face of NFL Network's draft coverage and a giant in the industry. Daniel Jeremiah joins Matt Harmon to discuss his mock draft methodology, what he's hearing about this year's draft class and shares his favorite five picks in his latest mock draft.
1d ago
Yahoo Movies
'Sasquatch Sunset' is so relentlessly gross that people are walking out of screenings. Star Jesse Eisenberg says the film was a ‘labor of love.’
“There are so many movies made for people who like typical things. This is not that," the film's star told Yahoo Entertainment.
4d ago

News

Life

Entertainment

Finance

Sports

New on Yahoo

GitLab releases emergency security patch, tells users to update immediately

Silver lining

Recommended Stories

WNBA Draft winners and losers: As you may have guessed, the Fever did pretty well. The Liberty? Perhaps not

Boban Marjanović hilariously misses free throws on purpose to give Clippers fans free chicken

Nike responds to backlash over Team USA track kits, notes athletes can wear shorts

Yankees pitcher Fritz Peterson, infamous for trading wives with a teammate, dies at 82

2024 Masters payouts: How much did Scottie Scheffler earn for his win at Augusta National?

Rob Gronkowski's first pitch before the Red Sox's Patriots' Day game was typical Gronk

UFC 300: 'We're probably gonna get sued' after Arman Tsarukyan appeared to punch fan during walkout

76ers' statue for Allen Iverson draws jokes, outrage due to misunderstanding: 'That was disrespectful'

Mock Draft Monday with Daniel Jeremiah: Bears snag Odunze, Raiders grab a QB

'Sasquatch Sunset' is so relentlessly gross that people are walking out of screenings. Star Jesse Eisenberg says the film was a ‘labor of love.’