Home > Security Bulletins > GitLab Critical Account Takeover – CVE-2023-7028

GitLab Critical Account Takeover – CVE-2023-7028

Request an audit

17th January 2024

Summary

Last week GitLab published the release of new versions for GitLab Community Edition (CE) and Enterprise Edition (EE) which contain a number of important security fixes. One critical account takeover vulnerability was fixed with this release, for which there are already proof of concepts circulating, and exploitation is easy.

CVE-2023-7028 – Account Takeover via password reset without user interactions. User account password reset emails could be delivered to an unverified email address. Attackers could even use the default administrator email. CVSS 3.1: 10.0 (Critical)

CVE-2023-4812 – Bypass CODEOWNERS approval removal. The required CODEOWNERS approval could be bypassed by adding changes to a previously approved merge request. CVSS 3.1: 7.6 (High)

CVE-2023-5356 – An attacker can abuse Slack/Mattermost integrations to execute slash commands as another user. Incorrect authorization checks allow a user to abuse slack/mattermost integrations to execute slash commands as another user. CVSS 3.1: 7.3 (High)

CVE-2023-6955 – Workspaces able to be created under different root namespace. An improper access control vulnerability exists in GitLab Remote Development which allows an attacker to create a workspace in one group that is associated with an agent from another group. CVSS 3.1: 6.6 (Medium)

CVE-2023-2030 – Commit signature validation ignores headers after signature. An attacker could potentially modify the metadata of signed commits. CVSS 3.1: 3.5 (Low)

 

Affected Versions

  • 16.1 to 16.1.5
  • 16.2 to 16.2.8
  • 16.3 to 16.3.6
  • 16.4 to 16.4.4
  • 16.5 to 16.5.5
  • 16.6 to 16.6.3
  • 16.7 to 16.7.1

The above versions apply to GitLab self-managed instances.

 

Recommendations

Due to the severity of these vulnerabilities, organisations are strongly recommended to upgrade all GitLab installations to the latest versions immediately. GitLab.com is already running the patched version.

Additionally, users are recommended to enable Two-Factor Authentication (2FA) for all GitLab accounts, especially for users with elevated privileges (e.g. administrator accounts).