The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical improper access control vulnerability affecting GitLab Community and Enterprise Editions to its Known Exploited Vulnerabilities (KEV) catalog, citing the risk of account takeovers.
GitLab Account Takeover Flaw Tracked as CVE-2023-7028
The high-severity vulnerability, assigned CVE-2023-7028 with a CVSS score of 10.0, enables attackers to hijack accounts without user interaction by exploiting an account password reset email verification bypass.
GitLab’s advisory warns that the following versions are impacted:
- 16.1 before 16.1.6
- 16.2 before 16.2.9
- 16.3 before 16.3.7
- 16.4 before 16.4.5
- 16.5 before 16.5.6
- 16.6 before 16.6.4
- 16.7 before 16.7.2
Patches Available, Agencies Ordered to Remediate by May 22
GitLab has released security updates 16.7.2, 16.5.6, and 16.6.4 to address the flaw, with backported patches for 16.1.6, 16.2.9, and 16.3.7. Self-hosted users are urged to review logs for exploitation attempts targeting the /users/password path with multiple email addresses.
Per BOD 22-01, CISA has mandated federal agencies remediate this vulnerability by May 22, 2024, to mitigate the significant risk of known exploits. Private organizations are also strongly recommended to review the KEV catalog and patch their GitLab instances promptly.
Widespread Exposure Persists Despite Available Fixes
Despite the availability of patches, researchers at ShadowServer report thousands of vulnerable GitLab instances remain unpatched, predominantly in the United States, Germany, and Russia, highlighting the urgent need for prompt remediation of this account hijacking vulnerability.