GitLab has released security updates to address two critical vulnerabilities, one of which can be exploited to take over an account without any user interaction.
Tracked as CVE-2023-7028the vulnerability has a maximum severity of 10.0 on the CVSS scoring system and could facilitate account compromise by sending password reset emails to unverified email addresses.
The DevSecOps platform said the vulnerability was caused by an error in the email verification process that allowed users to reset their passwords via a secondary email address.
It affects all self-managed instances of GitLab Community Edition (CE) and Enterprise Edition (EE) using the following versions –
- 16.1 before 16.1.6
- 16.2 before 16.2.9
- 16.3 before 16.3.7
- 16.4 before 16.4.5
- 16.5 before 16.5.6
- 16.6 16.6.4 before
- 16.7.2 Previous 16.7
GitLab said it has resolved the issue in GitLab versions 16.5.6, 16.6.4 and 16.7.2, in addition to backporting the fix to versions 16.1.6, 16.2.9, 16.3.7 and 16.4.5. question. The company further noted that the vulnerability was introduced in 16.1.0 on May 1, 2023.
“In these releases, all authentication mechanisms are affected,” GitLab said. “Additionally, users who have two-factor authentication enabled are vulnerable to password resets but not account takeovers because they require a second authentication factor to log in.”
As part of the latest update, GitLab also fixed another critical flaw (CVE-2023-5356, CVSS score: 9.6) that allowed users to abuse the Slack/Mattermost integration to execute slash commands as other users.
To mitigate any potential threats, it is recommended to upgrade your instance to a patched version as soon as possible and enable 2FA if it is not already enabled, especially for consumers with elevated privileges.