GitLab alerts of critical vulnerability, exploitable without user interaction
Take action: If you are running a GitLab instance, ask EVERYONE to activate MFA immediately. Then patch ASAP. Because your GitLab instance is fully exposed, and most GitLab instances are designed to be visible on the internet.
Learn More
A critical vulnerability tracked as CVE-2023-7028 (CVSS score 10) in GitLab Community Edition (CE) and Enterprise Edition (EE) has raised significant security concerns due to its potential to allow remote account takeover without any user interaction. The vulnerability stems from a flaw in the email verification process that was inadvertently introduced in version 16.1.0 of GitLab, dated May 1, 2023. The flaw enables attackers to send password reset emails to unverified email addresses, thereby compromising the security of GitLab accounts.
This vulnerability affects all self-managed instances of GitLab CE and EE across multiple versions, ranging from 16.1 prior to 16.1.6, up to 16.7 prior to 16.7.2. Users with two-factor authentication (2FA) enabled are less vulnerable, as they are protected against account takeover. However, they remain susceptible to unauthorized password resets, as the second authentication factor is still required for login.
ShadowServer reports that 5,379 instances accessible on the internet are vulnerable to this flaw.
To address this issue, GitLab has released updated versions – 16.7.2, 16.6.4, and 16.5.6 – which contain the necessary patches. These updates have also been backported to earlier versions including 16.1.6, 16.2.9, 16.3.7, and 16.4.5. GitLab strongly recommends that administrators of self-managed GitLab instances upgrade to these patched versions immediately to mitigate the risks. Additionally, enabling 2FA, particularly for accounts with administrative privileges, is advised to enhance security.
Alongside CVE-2023-7028, GitLab disclosed four other significant vulnerabilities in its latest security release. These include CVE-2023-5356 (CVSS score 9.6), which could permit unauthorized users to exploit Slack/Mattermost integrations within GitLab CE and EE to execute slash commands as another user. Other vulnerabilities addressed include CVE-2023-4812, which allowed bypassing CODEOWNERS approval in certain scenarios, CVE-2023-6955, related to workspace creation across different groups, and CVE-2023-2030, which involved the potential alteration of metadata in signed commits.
GitLab advises users, especially those managing self-hosted platforms, to review their logs for any indications of exploitation attempts.
