GitLab Addresses Critical Vulnerability Demanding Immediate Patching

GitLab administrators are urged to promptly apply the latest security patches following the disclosure of a critical account-bypass vulnerability. Tracked as CVE-2023-7028, the vulnerability takes advantage of a change introduced in GitLab’s version 16.1.0 in May 2023. This change enabled users to issue password resets through a secondary email address, exposing them to potential exploitation.

Exploiting the vulnerability involves using a specially crafted HTTP request to send a password reset email to an attacker-controlled, unverified email address. The account takeover can be completed without user intervention, making users without two-factor authentication (2FA) particularly susceptible.

Users with 2FA enabled are protected from complete account takeover, although a password reset could still be achieved if the attacker also has control of the 2FA authenticator. GitLab supports app-based 2FA and WebAuthn device-based 2FA, which are considered more secure than SMS-based 2FA.

Affected GitLab versions that require immediate patching include:

• 16.1 to 16.1.5
• 16.2 to 16.2.8
• 16.3 to 16.3.6
• 16.4 to 16.4.4
• 16.5 to 16.5.5
• 16.6 to 16.6.3
• 16.7 to 16.7.1

All authentication mechanisms, including some using single sign-on (SSO), are impacted. GitLab recommends disabling password authentication options for self-managed customers with external identity providers configured to mitigate the vulnerability.

The vulnerability was reported through GitLab’s bug bounty program, and while there is currently no evidence of successful exploitation, wider attempts are anticipated following its public disclosure. Admins are advised to apply patches swiftly, and in the interim, enforcing 2FA for all accounts is recommended as a stop-gap measure to prevent account takeover attempts.

GitLab is actively addressing the situation by adding new tests to validate password reset logic, conducting a root cause analysis, and updating documentation to enhance awareness. A secondary critical vulnerability, CVE-2023-5356, allowing attackers to execute slash commands in Slack or Mattermost, was also addressed in the same patch round. Other less-severe fixes were introduced to address various issues across GitLab versions.

Explore top supply chain news stories at The Supply Chain Report. Visit ADAMftd.com for free international trade tools.