Hackers actively exploit the GitLab 'Forgot Your Password' vulnerability
Take action: If you are running a GitLab instance and still haven't patched for CVE-2023-7028, ask EVERYONE to activate MFA immediately and patch ASAP. Hackers are attacking you.
Learn More
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging immediate patching of GitLab DevOps platform to mitigate risks associated with account hijacking via the "Forgot Your Password" function. The vulnerability, tracked as CVE-2023-7028 (CVSS score 10) and patched in January 2024 could allow attackers to take over GitLab accounts by sending password reset messages to attacker-controlled email addresses without needing to verify these emails.
Despite early assurances that there was no in-the-wild exploitation, CISA has confirmed active exploitation.
Affected versions of GitLab are:
- GitLab Community Edition (CE)
- Enterprise Edition (EE) from versions 16.1 to 16.7.1.
The vulnerability has been patched in versions 16.5.6, 16.6.4, and 16.7.2, with backported patches available for versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5.
CISA has given federal agencies until May 22, 2024, to update their GitLab instances to patched versions under Binding Operational Directive (BOD) 22-01.
