A critical security vulnerability found in GitLab has caught the attention of many users, prompting the company to issue an emergency patch. The flaw, identified as CVE-2023-7028, is rated with a CVSS 10.0 score, the highest possible severity ranking.
The vulnerability comes from a newly added feature that allows users to reset their password using a secondary email address. This feature, added on May 1, 2023, was discovered to be the root cause of the critical account takeover flaw in GitLab version 16.1.0.
According to a statement from GitLab, the issue can be exploited by crafting a specially formatted HTTP request that triggers a password reset email to be sent to an unverified email address in an unpatched version of GitLab. This could potentially lead to a remote account takeover without any interaction from the user.
Thankfully, GitLab has already addressed the issue in several versions of the platform, including 16.1.6, 16.2.9, 16.3.7, 16.4.5, 16.5.6, 16.6.4, and 16.7.2. Users are strongly advised to update their instances of GitLab to one of these patched versions to protect against exploitation of the vulnerability.
In addition to patching the vulnerability, GitLab has recommended that all user accounts have two-factor authentication (2FA) enabled. While 2FA can prevent account takeover through the CVE-2023-7028 exploit, it does not fully protect against unauthorized password resets.
Despite the severity of the bug, GitLab assured users that the flaw has not been exploited on the GitLab.com platform or GitLab Dedicated instances. However, users of self-managed GitLab instances are advised to monitor their logs for any potential abuse of the vulnerability.
GitLab also thanked a user identified as “asterion04” who discovered and reported the vulnerability through GitLab’s HackerOne bug bounty program. The company has credited this individual for their contribution to improving the security of the platform.
To provide further protection against similar vulnerabilities in the future, GitLab has updated its password reset logic to no longer accept submission of multiple email addresses for reset links.
In addition to the password reset vulnerability, GitLab has also addressed other security concerns in its recent release. Notably, the company has issued patches for several other high-severity vulnerabilities including CVE-2023-4812, CVE-2023-6955, and CVE-2023-2030 in version 16.7.2. These updates are crucial to safeguarding the platform from potential security risks.
The discovery and swift response to the critical vulnerability by GitLab reflect the company’s commitment to ensuring the security and integrity of its platform. Users are strongly encouraged to update their GitLab instances as soon as possible to protect against potential exploits and to implement two-factor authentication to mitigate the risk of unauthorized access to their accounts.