Information security

Vulnerability in Gitlab - Patches available!

Takeover of third-party accounts possible without user interaction

Gitlab has provided patches for several security vulnerabilities. One of them reaches the maximum possible severity level with a CVSS of 10.

New security updates are available for the Community and Enterprise editions of Gitlab, some of which fix critical vulnerabilities, one of which even enables the takeover of third-party user accounts without any user interaction. The provider of the source code management software recommends that administrators urgently update their Gitlab instances. Anyone using the service via gitlab.com is already protected.

In its announcement, Gitlab particularly emphasizes the security vulnerability registered as CVE-2023-7028 and rated as critical with a maximum possible CVSS of 10. This makes it possible for attackers to reset user passwords via an unverified email address and thus completely take over the accounts of other users

All authentication procedures of the following Gitlab versions are affected:

  • 16.1 to 16.1.5 (patched by 16.1.6)
  • 16.2 to 16.2.8 (patched by 16.2.9)
  • 16.3 to 16.3.6 (patched by 16.3.7)
  • 16.4 to 16.4.4 (patched by 16.4.5)
  • 16.5 to 16.5.5 (patched by 16.5.6)
  • 16.6 to 16.6.3 (patched by 16.6.4)
  • 16.7 to 16.7.1 (patched by 16.7.2)

Active 2FA protects against account takeover

For users with active two-factor authentication (2FA), it is also possible for an attacker to change the password, but not to take over the account. Accordingly, the recommendation is: 2FA should ideally be activated for all Gitlab accounts, but especially for those with extended access rights.

The vulnerability was probably discovered on 1 May 2023 with the release of Gitlab version 16.1.0. Its discoverer, named under the pseudonym asterion04, reported the vulnerability via Gitlab's Hackerone bug bounty program.

Exploitation can be checked

Administrators who want to check whether CVE-2023-7028 has already been actively exploited on their instance are advised by Gitlab to take a look at the logs gitlab-rails/production_json.log and gitlab-rails/audit_json.log. Details on the anomalies to be expected there can be found in the provider's announcement.

Other fixed vulnerabilities include CVE-2023-5356, which is also classified as critical with a CVSS of 9.6. An attacker could misuse the Slack/Mattermost integrations to execute slash commands as another user, Gitlab explains. In addition, the company has also patched CVE-2023-4812, CVE-2023-6955 and CVE-2023-2030 - with varying severity levels from low to high.

Found at: https: //www.golem.de/news/gitlab-uebernahme-fremder-konten-ohne-nutzerinteraktion-moeglich-2401-181149.html