The U.S. Cybersecurity and Infrastructure Security Agency (CISA) a GitLab Community and Enterprise Editions improper access control vulnerability to its .
The issue, tracked as CVE-2023-7028 (CVSS score: 10.0), is an account takeover via Password Reset. The flaw can be exploited to hijack an account without any interaction.
“An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.” reads the published by GitLab.
The flaw impacts the following versions:
GitLab addressed the flaw with the 16.7.2, 16.5.6, and 16.6.4. The company backported security patches to 16.1.6, 16.2.9, and 16.3.7.
Self-managed customers are recommended to review their logs to check for possible attempts to exploit this vulnerability:
/users/password
path with params.value.email consisting of a JSON array with multiple email addresses.Researchers from ShadowServer still thousands of instances exposed online that are vulnerable to this flaw, most of them in the US, Germany and Russia.
According to , FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by May 22, 2024.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, CISA)