On January 11, 2024, GitLab issued an update containing a crucial security fix for a vulnerability. This flaw enables a user to send the account password reset form to an unverified email address, potentially granting unauthorized access to the repository. Nearly all versions in the 16.x series of their software package are vulnerable to this exploit.
GITLAB ZERO-CLICK VULNERABILITY ALLOWS ACCOUNT HIJACKING
According to the company’s official description of CVE-2023-7028, a critical bug is present in a few versions. Exploiting this, a potential adversary can send a password reset email to any email address, enabling hackers to easily hijack accounts with varying access privileges. The simplicity of exploitation and the severity of potential consequences contribute to this vulnerability receiving a CVSS score of 10/10.
Accessing the repository grants attackers the ability to manipulate the stored code at will.
This includes activities such as selling corporate secrets, searching for potential software vulnerabilities, injecting malicious code to compromise employees’ systems, or even launching a supply chain attack. Patching this vulnerability is not just urgent; it requires immediate action.
According to GitLab, activating 2FA on the account could have prevented hijacking, as two-factor authentication is not vulnerable to the bug and remains securely verified. However, there are individuals who neglect the security of Git repository access, expanding the potential impact of CVE-2023-7028.
GITLAB 0-CLICK VULNERABILITY FIXES AVAILABLE
The company not only issued a security notification but also incorporated it into the patch notes for an update addressing the situation. According to the provided information, only version 16 is susceptible, particularly a series of its minor updates.
- 16.1 to 16.1.5
- 16.2 to 16.2.8
- 16.3 to 16.3.6
- 16.4 to 16.4.4
- 16.5 to 16.5.5
- 16.6 to 16.6.3
- 16.7 to 16.7.1
The latest available versions are 16.5.6, 16.6.4, and 16.7.2, leaving users of versions 16.4 and below with no current options. However, GitLab has provided backports of the vulnerability fix to versions 16.1.6, 16.2.9, 16.3.7, 16.4.5, 16.5.6, and 16.6.4. This implies that updating to the most recent version may not be necessary, and since no mitigation options are available, updates remain the only viable choice.