A critical vulnerability has been discovered in GitLab Community Edition (CE) and Enterprise Edition (EE), which allows for remote account takeover without any user interaction. This flaw is specifically related to a password reset issue. All GitLab users must take immediate action and apply the necessary patches to mitigate this security risk. The vulnerability has been assigned a CVSS score of 10, signifying its severity.
What is an Account Takeover Vulnerability?
An account takeover vulnerability refers to a security weakness that allows unauthorized individuals to gain unauthorized access to a user’s account. This vulnerability can occur due to various factors, such as weak passwords, phishing attacks, or the exploitation of software vulnerabilities.
Once an attacker gains control of an account, they can misuse it for malicious purposes, such as stealing sensitive information, conducting fraudulent activities, or spreading malware. Account takeover vulnerabilities pose a significant risk to individuals and organizations, as they can lead to financial loss, reputational damage, and compromised data security.
GitLab Account Takeover Vulnerability
In this instance of the vulnerability, account takeover can occur when a meticulously constructed HTTP request is utilized to dispatch a password reset email to an unverified email address within an unpatched version. This vulnerability allows unauthorized individuals to gain control over user accounts, potentially leading to unauthorized access and misuse of sensitive information.
The bug, identified as CVE-2023-7028, has been resolved in the latest releases of GitLab, specifically versions 16.5.6, 16.6.4, and 16.7.2, which were made available on Thursday. Additionally, the fix has been retroactively applied to earlier versions of GitLab, including 16.1.6, 16.2.9, 16.3.7, and 16.4.5.
Here’s an example exploitation code:
user[email][email protected]&user[email][email protected]
Check your GitLab logs for suspicious activity
We have not detected any abuse of this vulnerability on platforms managed by GitLab, including GitLab.com and GitLab Dedicated instances.
Self-managed customers can review their logs to check for any potential attempts to exploit this vulnerability. Follow these steps:
1. Check the
`gitlab-rails/production_json.log` file for any HTTP requests made to the
`/users/password` path with
`params.value.email` containing a JSON array with multiple email addresses.
2. Additionally, inspect the
`gitlab-rails/audit_json.log` file for any entries with
`target_details` consisting of a JSON array with multiple email addresses. By performing these checks, self-managed customers can ensure the security of their GitLab instances and take appropriate action if any suspicious activity is found.
Other Disclosed Vulnerabilities:
|Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user
|Bypass CODEOWNERS approval removal
|Workspaces able to be created under different root namespace
|Commit signature validation ignores headers after signature
In conclusion, the CVE-2023-7028 vulnerability in Gitlab poses a significant threat to user accounts, as it allows for an account takeover through a simple password reset. This vulnerability highlights the importance of implementing strong password policies and multi-factor authentication to protect against such attacks. Gitlab users should promptly update their systems to the latest version and ensure that their passwords are unique and complex. Additionally, organizations should regularly monitor their Gitlab instances for any suspicious activity and promptly investigate any potential security breaches.
Schedule a free call with Bluefire Redteam to discover such critical vulnerabilities.