GitLab Critical Security Release 16.8.1 (CVE-2024-0402)

Skip to first unread message

Fleury, Terry

Jan 26, 2024, 4:30:57 PMJan 26

CI Operators:

GitLab has released v16.8.1 [1] to address a critical security vulnerability (CVE-2023-7028 [2]) which has a CVSSv3 score of 9.9. This affects both GitLab Community Edition (CE) and Enterprise Edition (EE).



When creating a workspace, an authenticated user can write files to any location on the GitLab server. 


Affected Software

  • GitLab 16.x < v16.5.8
  • GitLab 16.6 < v16.6.6
  • GitLab 16.7 < v16.7.4
  • GitLab 16.8 < v16.8.1



Upgrade to the latest patched version of GitLab for your installation [3]. There are no recommended mitigations.







How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us ( if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.


Reply all
Reply to author
0 new messages