GitLab Patches Critical Account Takeover Flaw

GitLab has fixed a critical-severity flaw in several versions of its platform that, if successfully exploited, could enable attackers to take over accounts without user interaction.

The flaw (CVE-2023-7028) stems from the fact that user account password reset emails can be delivered to unverified email addresses. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.1 to 16.1.5, 16.2 to 16.2.8, 16.3 to 16.3.6, 16.4 to 16.4.4, 16.5 to 16.5.5, 16.6 to 16.6.3 and 16.7 to 16.7.1 are impacted.

“Within these versions, all authentication mechanisms are impacted,” according to Greg Myers, security engineer with GitLab, in a Thursday security update. “Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login.”

GitLab, the version management application for software projects based on git, has not observed any exploitation of the flaw on platforms that are managed by GitLab, including GitLab.com and GitLab Dedicated instances. The flaw was introduced in 16.1.0 in May 2023, and was reported through GitLab’s bug bounty program.

“The vulnerability is a result of a bug in the email verification process,” said Myers. “The bug has been fixed with this patch, and… we have implemented a number of preventive security measures to protect customers.”

GitLab said the fix has also been backported to GitLab versions 16.1.6, 16.2.9, 16.3.7, 16.4.5, 16.5.6, 16.6.4, and 16.7.2.

GitLab urges impacted end users and enterprise customers to update and enable two-factor authentication for all GitLab accounts, especially for administrator accounts. Additionally, self-managed customers should check their logs for potential attempts at exploitation.

“An attacker will not be able to takeover your account if you have 2FA enabled,” according to GitLab’s advisory. “They may still be able to reset your password but will not be able to access your second factor authentication method. If you are suddenly redirected to login, or see a reset email triggered, please reset your password.”

GitLab this week also issued patches for a second critical-severity issue that can allow threat actors to abuse Slack/Mattermost integrations in order to execute “slash” commands as another user (CVE-2023-5356); and a high-severity flaw enabling attackers to bypass the CODEOWNERS approval by adding changes to a previously approved merge request (CVE-2023-4812). This could allow attackers to bypass security mechanisms, but user interaction is required for successful exploitation.

Go to Source