CVE-2024-6595

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 11.8 through 16.11.6 GitLab CE/EE versions 17.0 through 17.0.4 GitLab CE/EE versions 17.1 through 17.1.2

Description An issue was discovered where it was possible to upload an NPM package with conflicting package data. This issue is related to an uncontrolled search path element. Exploitation of this issue may allow a remote attacker to upload a package with conflicting data.

Recommendations For versions 11.8 through 16.11.6, update to a version after 16.11.6 to resolve the issue. For versions 17.0 through 17.0.4, update to a version after 17.0.4 to resolve the issue. For versions 17.1 through 17.1.2, update to a version after 17.1.2 to resolve the issue. As a temporary workaround, consider restricting the upload of NPM packages until a patch is available.