GitLab has released security updates to address two critical vulnerabilities [2] [4] [7]. It is crucial for all GitLab installations to be upgraded immediately to the latest versions, 16.7.2, 16.6.4, or 16.5.6 [7], for both GitLab Community Edition (CE) and Enterprise Edition (EE) [1] [3] [4] [5] [6]. GitLabcom has already implemented the patched version [5], and customers are strongly advised to upgrade to the latest security release for their supported version.
Description
One of the critical vulnerabilities allows attackers to take over accounts without user interaction by exploiting a bug in the email verification process [4]. This bug enables users to reset their password through a secondary email address [4]. The affected versions of GitLab CE and EE have been fixed in versions 16.5.6, 16.6.4 [4], and 16.7.2 [1] [2] [3] [4] [5] [6] [7]. GitLab has also backported the fix to earlier versions [4] [7].
In addition to this vulnerability, there is another critical vulnerability that allows for account takeover by resetting passwords without user interaction. Tracked as CVE-2023-7028 [7], this vulnerability has a severity rating of 10.0 on the CVSS scoring system [7]. It affects GitLab self-managed instances running versions prior to 16.7.2 and enables hackers to hijack accounts and send password reset emails to unverified addresses [6]. The affected versions include GitLab CE and EE versions prior to 16.5.6, 16.6.4 [2], and 16.7.2 [1] [2] [3] [4] [5] [6] [7]. GitLab has fixed both vulnerabilities in versions 16.5.6, 16.6.4 [7], and 16.7.2 [1] [2] [3] [4] [5] [6] [7], as well as backported the fixes to earlier versions [4] [7].
Conclusion
To ensure security, it is highly recommended to upgrade to the latest versions of GitLab and enable two-factor authentication for all accounts. These vulnerabilities pose significant risks, and immediate action is necessary to protect against potential account takeovers. GitLab’s prompt response and fixes demonstrate their commitment to maintaining good security hygiene.
References
[1] https://www.darkreading.com/vulnerabilities-threats/gitlab-releases-updates-to-address-critical-vulnerabilities-
[2] https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-003
[3] https://flyytech.com/2024/01/14/gitlab-releases-updates-to-address-critical-vulnerabilities/
[4] https://owasp.or.id/2024/01/13/urgent-gitlab-releases-patch-for-critical-vulnerabilities/
[5] https://vuink.com/post/nobhg-d-dtvgyno-d-dpbz/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released
[6] https://www.techworm.net/2024/01/gitlab-security-update-fix-account-hijacking-flaw.html
[7] https://thehackernews.com/2024/01/urgent-gitlab-releases-patch-for.html
