CVE-2024-0402

CRITICAL9.9EPSS 45.2%

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in GitLab

Published: 3/6/2024Modified: 5/20/2025

Description

An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.

Affected packages (1)

Bitnami/gitlab>= 16.0.0, < 16.5.8, >= 16.6.0, < 16.6.6, >= 16.7.0, < 16.7.4, >= 16.8.0, < 16.8.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (3)

WEBhttps://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/
WEBhttps://gitlab.com/gitlab-org/gitlab/-/issues/437819
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2024-0402