A critical security vulnerability in GitLab [5] [7], known as CVE-2023-7028 and rated with a severity score of 10 by CISA, is actively exploited by attackers [4].

Description

This flaw, which was disclosed in January, allows attackers to hijack user accounts by redirecting password reset notifications to unauthorized email addresses [2] [3]. The vulnerability, introduced in a code modification on May 1, 2023 [2], within version 16.1.0 [2] [9], impacts all authentication methods and affects accounts without multifactor authentication. While users with two-factor authentication are somewhat protected [3], successful exploitation could result in severe consequences such as data theft [5], credential compromise [5], and source code manipulation. GitLab has released patches in versions 16.5.6, 16.6.4 [5], and 16.7.2 [5], with fixes backported to earlier versions for comprehensive mitigation [5]. Despite over 2,000 internet-exposed GitLab instances remaining unpatched against CVE-2023-7028 [8], federal agencies are urged to apply the latest fixes by May 22, 2024 [5], to safeguard their networks and prevent further exploitation [5]. To mitigate this threat [1], organizations are advised to apply the latest security patches [1], enhance monitoring of GitLab environments [1], implement multi-factor authentication [1] [2] [3] [6], and conduct regular audits of configurations and user roles [1]. It is important to note that publicly available exploits for this vulnerability make it accessible to less skilled hackers, underscoring the importance of timely patching to prevent account takeover incidents. CISA has included this vulnerability in its Known Exploited Vulnerabilities (KEV) database, emphasizing the need for federal agencies to promptly secure their networks.

Conclusion

The vulnerability in GitLab poses significant risks to organizations, with potential consequences including data theft, credential compromise [5], and source code manipulation. Mitigation strategies such as applying security patches, enhancing monitoring [1], implementing multi-factor authentication [1] [6], and conducting regular audits are crucial to prevent exploitation. Federal agencies are urged to promptly secure their networks to safeguard against this threat and protect sensitive information.

References

[1] https://cybersecuritynews.com/cisa-gitlab-password-reset-warning/
[2] https://vulert.com/blog/cisa-alert-gitlab-vulnerability-exploitation/
[3] https://stackdiary.com/us-warns-of-misuse-of-gitlab-leak-that-can-be-used-to-hijack-accounts/
[4] https://www.tftc.io/gitlab-account-hijack-vulnerability-exploitation-warning/
[5] https://www.rewterz.com/threat-advisory/severe-gitlab-password-reset-vulnerability-actively-exploited
[6] https://arstechnica.com/security/2024/05/0-click-gitlab-hijacking-flaw-under-active-exploit-with-thousands-still-unpatched/
[7] https://www.darkreading.com/application-security/critical-gitlab-bug-exploit-account-takeover-cisa
[8] https://www.scmagazine.com/brief/cisa-immediate-gitlab-account-takeover-flaw-remediation-crucial-amid-attacks
[9] https://rhyno.io/blogs/cybersecurity-news/cisa-alerts-on-gitlab-password-reset-exploit/