Heads up, GitLab users! It’s time to upgrade to the latest GitLab versions, as the updates address multiple security flaws, including a zero-click vulnerability.
GitLab Disclosed A Serious Zero-Click Flaw Allowing Account Hijacking
As disclosed, numerous security vulnerabilities riddled the GitLab Community Edition (CE) and Enterprise Edition (EE), exposing users to different threats. Specifically, GitLab disclosed five different issues affecting the service, including an account hijacking zero-click vulnerability.
Regarding the zero-click flaw, GitLab elaborated that exploiting the flaw could allow an adversary to take over target accounts. The vulnerability appeared following a feature change to allow users reset their passwords with a secondary email address. Because of the error, it facilitated delivering account reset emails to unverified email addresses, triggering the security threat.
This flaw, CVE-2023-7028, first caught the attention of a bug bounty hunter with alias asterion04, who reported the bug via GitLab’s bug bounty program. It impacts GitLab self-managed instances running these affected versions: 16.1 to 16.1.5, 16.2 to 16.2.8, 16.3 to 16.3.6, 16.4 to 16.4.4, 16.5 to 16.5.5, 16.6 to 16.6.3, and 16.7 to 16.7.1.
The other vulnerabilities affecting the service include the following.
- CVE-2023-5356 (critical severity): Incorrect authorization checks in GitLab CE/EE allowed an adversary to “abuse Slack/Mattermost integrations to execute slash commands as another user.”
- CVE-2023-4812 (high severity): Adding changes to previously approved merge requests could allow bypassing CODEOWNERS approval.
- CVE-2023-2030 (low severity): This vulnerability allowed an adversary to modify the metadata of signed commits.
- CVE-2023-6955 (medium severity): Improper access control in GitLab Remote Development could let an adversary create a workspace under a different root namespace. GitLab listed this as the only vulnerability that caught the attention of GitLab’s internal security researchers.
GitLab has shared details about the vulnerabilities in its detailed post.
Patched Versions Available
Following the vulnerability reports for all five flaws, GitLab addresses them with GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.7.2, 16.6.4, and 16.5.6. while the service confirmed detecting no active exploitation attempts for any of these vulnerabilities, it still advised the users to upgrade their systems with the latest releases to receive all security fixes in time.
Let us know your thoughts in the comments.