Securing GitLab: Critical Vulnerability Mitigated with Latest Release
— Sam Jacob Dec, 2, 2023
Account Takeover via Password Reset without user interactions:
A Critical user account takeover vulnerability has been discovered in Gitlab (CVE-2023-7028) which can be easily exploited by attackers to reset GitLab user account passwords.
Issue root cause:
A change was made in 16.1.0 that allowed users to reset their password through a secondary email address. The vulnerability is a result of a bug in the email verification process. an attacker could initiate user account password reset emails to be delivered to an unverified email address. This vulnerability is now mitigated in the latest release.
Fixed Versions:
Versions 16.7.2, 16.6.4, 16.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). This security fix is also backported to GitLab versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5.
Recommendations:
1. We strongly recommend that all installations are upgraded to the latest version as soon as possible.
2. Enable Two-Factor Authentication (2FA) for all GitLab accounts
3. Rotate all secrets stored in GitLab:
– All credentials, including GitLab account passwords
– API tokens
– Any certificates
– Any other secrets