Don't miss out on new posts! Sign up! Also, visit the VHT Forums!
Critical GitLab vul...
Clear all

Critical GitLab vulnerability zero-click takeover CVSS 10 out of 10

2 Posts
1 Users
Brandon Lee
Posts: 446
Member Admin
Topic starter

Security Flaw Details GitLab has rectified a critical security flaw rated at the highest severity level (10/10), identified as CVE-2023-7028. This vulnerability can be exploited without any user interaction.

The issue lies in an authentication flaw that allows password reset requests to be directed to any email address, even if it's not verified, leading to potential account takeovers. However, if two-factor authentication (2FA) is enabled, the attacker would still need the second factor to access the account.

Compromised GitLab accounts pose a significant threat, especially since GitLab is often used for storing confidential code, API keys, and other sensitive information. This vulnerability also raises the risk of supply chain attacks, where attackers might inject malicious code into repositories, particularly in cases where GitLab is used for Continuous Integration/Continuous Deployment (CI/CD).

The vulnerability was identified by a security researcher named 'Asterion', reported through HackerOne, and first appeared in the May 1, 2023, release of GitLab version 16.1.0.

Affected Versions:

  • 16.1 (before 16.1.5)
  • 16.2 (before 16.2.8)
  • 16.3 (before 16.3.6)
  • 16.4 (before 16.4.4)
  • 16.5 (before 16.5.6)
  • 16.6 (before 16.6.4)
  • 16.7 (before 16.7.2)

GitLab addressed this flaw in versions 16.7.2, 16.6.4, and 16.5.6, and also backported the fix to versions 16.1.6, 16.2.9, and 16.3.7.

Posted : 12/01/2024 3:56 pm
Brandon Lee
Posts: 446
Member Admin
Topic starter

Gitlab has patched the CVSS 10 bug:

The vulnerability, identified as CVE-2023-7028 with a critical CVSS score of 10, first appeared in GitLab version 16.1.0. It allows attackers to redirect password reset emails to unverified email addresses.

Originally, GitLab 16.1.0 introduced a feature for sending password reset emails to a secondary email address. This was meant to assist users who lost access to their primary email inbox. However, due to a flaw in the email verification process, attackers could exploit this feature to send password reset messages to unverified emails, potentially hijacking the password reset process and risking account security.

This vulnerability affects all user accounts that use username and password for login, including those with Single Sign-On (SSO) options, as detailed in GitLab's advisory.

Accounts with two-factor authentication (2FA) are susceptible to password reset attacks, but are safeguarded against full account takeovers, as the vulnerability doesn't compromise the second-factor authentication.

The flaw affects both the Community Edition (CE) and Enterprise Edition (EE) of GitLab, versions 16.1 to 16.7.1. GitLab has released fixes in versions 16.5.6, 16.6.4, and 16.7.2, and has also backported the fix to versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5.

GitLab users managing their own instances are urged to update to a patched version and to enable 2FA for enhanced security.

Posted : 15/01/2024 7:27 am