Account Takeover via Password Reset without user interactions:

A Critical user account takeover vulnerability has been discovered in Gitlab (CVE-2023-7028) which can be easily exploited by attackers to reset GitLab user account passwords.

Issue root cause:
A change was made in 16.1.0 that allowed users to reset their password through a secondary email address. The vulnerability is a result of a bug in the email verification process. an attacker could initiate user account password reset emails to be delivered to an unverified email address. This vulnerability is now mitigated in the latest release.

 

Fixed Versions:
Versions 16.7.2, 16.6.4, 16.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). This security fix is also backported to GitLab versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5.

Recommendations:
1. We strongly recommend that all installations are upgraded to the latest version as soon as possible.
2. Enable Two-Factor Authentication (2FA) for all GitLab accounts
3. Rotate all secrets stored in GitLab:
– All credentials, including GitLab account passwords
– API tokens
– Any certificates
– Any other secrets

Blog by- SecIQ Security Research Team
Talk to an Expert

helps you to quickly evaluate the security posture of your applications and infrastructure

24/7 Support

Round-the-clock technicians ready to help online or by phone.

Free POC

Leverage our Free POC to get a clear picture of your vulnerabilities and current security posture today!