Active Exploitation of GitLab Vulnerability: CISA Issues Warning

May 1, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about active exploitation of a high-severity GitLab vulnerability. This flaw enables attackers to hijack accounts via password resets. Given that GitLab hosts sensitive data, such as proprietary code and API keys, account takeover could have serious consequences. Successful exploitation could potentially lead to supply chain attacks, as attackers could compromise repositories by injecting malicious code into CI/CD (Continuous Integration/Continuous Deployment) environments.

The vulnerability, tracked as CVE-2023-7028, is an improper access control weakness that allows remote unauthenticated threat actors to send password reset emails to email accounts under their control. They can then change the password and hijack targeted accounts without user interaction. While this vulnerability can't be exploited to take over accounts where two-factor authentication (2FA) is enabled, it is crucial to patch systems where accounts are not secured with this additional security measure.

The CVE-2023-7028 flaw affects GitLab Community and Enterprise editions. GitLab has addressed it in versions 16.7.2, 16.5.6, and 16.6.4, and has also backported patches to versions 16.1.6, 16.2.9, and 16.3.7. Shadowserver, a threat monitoring service, found 5,379 vulnerable GitLab instances exposed online in January, the week security patches were released. However, less than half (2,394) are still accessible at present.

CISA added CVE-2023-7028 to its Known Exploited Vulnerabilities Catalog on Wednesday, confirming active exploitation and instructing U.S. federal agencies to secure their systems by May 22. Although CISA has not disclosed details about ongoing attacks exploiting this severe GitLab security flaw, it confirmed that there's no evidence of it being used in ransomware attacks. CISA stated, 'These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.'

CISA's Known Exploited Vulnerabilities Catalog primarily targets federal agencies, but private organizations using the GitLab DevOps platform should also prioritize patching this vulnerability to fend off attacks. Those who haven't patched may already be compromised, so they should follow GitLab's incident response guide and look for signs of compromise as soon as possible.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.