CVE-2023-7028: Gitlab Vulnerability – Account Takeover Via Simple Password Reset

CVE-2023-7028: Gitlab Vulnerability - Account Takeover Via Simple Password Reset

Table of Contents

A critical vulnerability has been discovered in GitLab Community Edition (CE) and Enterprise Edition (EE), which allows for remote account takeover without any user interaction. This flaw is specifically related to a password reset issue. All GitLab users must take immediate action and apply the necessary patches to mitigate this security risk. The vulnerability has been assigned a CVSS score of 10, signifying its severity.

What is an Account Takeover Vulnerability?

An account takeover vulnerability refers to a security weakness that allows unauthorized individuals to gain unauthorized access to a user’s account. This vulnerability can occur due to various factors, such as weak passwords, phishing attacks, or the exploitation of software vulnerabilities.

Once an attacker gains control of an account, they can misuse it for malicious purposes, such as stealing sensitive information, conducting fraudulent activities, or spreading malware. Account takeover vulnerabilities pose a significant risk to individuals and organizations, as they can lead to financial loss, reputational damage, and compromised data security.

Instant-penetration-testing-quote

GitLab Account Takeover Vulnerability

In this instance of the vulnerability, account takeover can occur when a meticulously constructed HTTP request is utilized to dispatch a password reset email to an unverified email address within an unpatched version. This vulnerability allows unauthorized individuals to gain control over user accounts, potentially leading to unauthorized access and misuse of sensitive information.

The bug, identified as CVE-2023-7028, has been resolved in the latest releases of GitLab, specifically versions 16.5.6, 16.6.4, and 16.7.2, which were made available on Thursday. Additionally, the fix has been retroactively applied to earlier versions of GitLab, including 16.1.6, 16.2.9, 16.3.7, and 16.4.5.

Here’s an example exploitation code:

user[email][][email protected]&user[email][][email protected]

Read how we identified a somewhat similar account takeover vulnerability in a mobility startup.

Check your GitLab logs for suspicious activity

GitLab mentioned:

We have not detected any abuse of this vulnerability on platforms managed by GitLab, including GitLab.com and GitLab Dedicated instances.

Self-managed customers can review their logs to check for any potential attempts to exploit this vulnerability. Follow these steps:

1. Check the `gitlab-rails/production_json.log` file for any HTTP requests made to the `/users/password` path with `params.value.email` containing a JSON array with multiple email addresses.

2. Additionally, inspect the `gitlab-rails/audit_json.log` file for any entries with `meta.caller.id` of `PasswordsController#create` and `target_details` consisting of a JSON array with multiple email addresses. By performing these checks, self-managed customers can ensure the security of their GitLab instances and take appropriate action if any suspicious activity is found.

Other Disclosed Vulnerabilities:

Attacker can abuse Slack/Mattermost integrations to execute slash commands as another userCVE-2023-5356
Bypass CODEOWNERS approval removalCVE-2023-4812
Workspaces able to be created under different root namespaceCVE-2023-6955
Commit signature validation ignores headers after signatureCVE-2023-2030

Conclusion

In conclusion, the CVE-2023-7028 vulnerability in Gitlab poses a significant threat to user accounts, as it allows for an account takeover through a simple password reset. This vulnerability highlights the importance of implementing strong password policies and multi-factor authentication to protect against such attacks. Gitlab users should promptly update their systems to the latest version and ensure that their passwords are unique and complex. Additionally, organizations should regularly monitor their Gitlab instances for any suspicious activity and promptly investigate any potential security breaches.

Schedule a free call with Bluefire Redteam to discover such critical vulnerabilities.

Let's Protect Your Business Against Cyber Attacks

We appreciate you thinking of us as a reliable cybersecurity partner. We appreciate your interest in our services and look forward to speaking with you.

For more information on our offerings, please email us at [email protected].

Instant penetration testing quote

Get your instant and free penetration testing quote now.