CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini May 02, 2024

CISA adds GitLab Community and Enterprise Editions improper access control vulnerability to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  a GitLab Community and Enterprise Editions improper access control vulnerability to its .

The issue, tracked as CVE-2023-7028 (CVSS score: 10.0), is an account takeover via Password Reset. The flaw can be exploited to hijack an account without any interaction.

“An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.” reads the  published by GitLab.

The flaw impacts the following versions:

  • 16.1 prior to 16.1.5
  • 16.2 prior to 16.2.8
  • 16.3 prior to 16.3.6
  • 16.4 prior to 16.4.4
  • 16.5 prior to 16.5.6
  • 16.6 prior to 16.6.4
  • 16.7 prior to 16.7.2

GitLab addressed the flaw with the  16.7.2, 16.5.6, and 16.6.4. The company backported security patches to 16.1.6, 16.2.9, and 16.3.7.

Self-managed customers are recommended to review their logs to check for possible attempts to exploit this vulnerability:

  • Check  for HTTP requests to the /users/password path with params.value.email consisting of a JSON array with multiple email addresses.
  • Check  for entries with meta.caller.id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.

Researchers from ShadowServer still  thousands of instances exposed online that are vulnerable to this flaw, most of them in the US, Germany and Russia.

According to , FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the  and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by May 22, 2024.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, CISA)



you might also like

leave a comment