The US CISA adds a critical vulnerability in GitLab’s Community and Enterprise editions to its KEV database, confirming it is very much under active exploit.
The vulnerability, tracked as CVE-2023-7028 with a CVSS score of 10, was disclosed by GitLab in January. At the time of disclosure, GitLab reported that the vulnerability had existed since May 2023, though there was no evidence of successful exploitation.
Considering the avtive exploitation at present, it got added to the catalog. The vulnerability is classed as an improper access control flaw, offering attackers a zero-click route to a full account takeover.
A specially crafted HTTP request sends a password reset link to an unverified, attacker-controlled email address, enabling unauthorized account takeovers.
Given the nature of GitLab’s business, the obvious danger here is the vulnerability being abused by attackers to carry out software supply chain attacks – surreptitiously modifying source code to breach countless organizations.
The following versions are vulnerable:
- 16.1 to 16.1.5
- 16.2 to 16.2.8
- 16.3 to 16.3.6
- 16.4 to 16.4.4
- 16.5 to 16.5.5
- 16.6 to 16.6.3
- 16.7 to 16.7.1
There are currently 2,149 vulnerable GitLab environments, down from 4,652 in January, with the largest concentration in Europe and Asia as per Shadowserver report.
GitLab fixed the vulnerability in versions 16.5.6, 16.6.4, and 16.7.2, and also backported the patches for versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5.
