GitLab has released security updates to address two critical vulnerabilities impacting both the Community and Enterprise Edition.
The most critical vulnerability, tracked as CVE-2023-7028 with a CVSS score 10, is an account takeover via Password Reset. The flaw can be exploited to hijack an account without any interaction.
The flaws impact the following versions:
- 16.1 prior to 16.1.5
- 16.2 prior to 16.2.8
- 16.3 prior to 16.3.6
- 16.4 prior to 16.4.4
- 16.5 prior to 16.5.6
- 16.6 prior to 16.6.4
- 16.7 prior to 16.7.2
Gitlab is not aware of attacks in the wild exploiting the vulnerability CVE-2023-7028. Self-managed customers are recommended to review their logs to check for possible attempts to exploit this vulnerability:
- Check gitlab-rails/production_json.log for HTTP requests to the
/users/passwordpath with params.value.email consisting of a JSON array with multiple email addresses. - Check gitlab-rails/audit_json.log for entries with meta.caller.id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.
The second vulnerability, tracked as CVE-2023-5356 with a CVSS score 9.6, can be exploited by an attacker to abuse Slack/Mattermost integrations and execute slash commands as another user.
GitLab also addressed the following issues with the release of the version 16.7.2:
- CVE-2023-4812: Bypass CODEOWNERS approval removal.
- CVE-2023-6955: Improper access control for Workspaces.
- CVE-2023-2030: Commit signature validation ignores headers after signature.
Gitlab urges organizations to update their installations immediately
