GitLab is warning users about a critical vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The vulnerability in question, CVE-2023-7028, allows hackers to take over accounts. Patches have already been released.
According to GitLab, the CVE-2023-7028 vulnerability makes it possible to easily take over accounts. Namely, this can be done by having emails to reset passwords delivered to an unverified email address. Those without 2FA enabled could lose access to their own accounts without the new patch.
When CE and Enterprise end users do use 2FA to log into their accounts, the vulnerability only allows hackers to reset passwords. The accounts cannot then be taken over as the external authentication method is required after a password change request.
Problem with email authentication
The vulnerability was itself introduced by GitLab with the release of the GitLab CE and Enterprise editions v 16.1.0. This included the ability to reset a password via a second email address. The bug in question ended up in the email verification process.
No active exploits yet
The bug has been active since May 2023, but may have remained unknown outside of GitLab itself. Active exploits of the vulnerability are therefore not known, but GitLab urges users who host the platform themselves to check their own log files carefully.
The development platform has already patched the bug and released updated versions 16.7.2, 16.6.4 and 16.5.6 for both editions. End users should implement the updates as soon as possible, GitLab indicates.
Also read: GitLab 16 unveiled