GitLab Issues Urgent Security Updates to Address Critical Vulnerabilities

January 12, 2024

GitLab has issued security patches for both its Community and Enterprise Editions to address two critical vulnerabilities. One of these vulnerabilities could potentially enable an attacker to hijack a user's account without requiring any user interaction. GitLab strongly recommends that all vulnerable versions of its DevSecOps platform be updated as quickly as possible. The company further warns that if a product's specific deployment type (omnibus, source code, helm chart, etc.) is not mentioned, it means all types are affected.

The most severe vulnerability that GitLab has patched, CVE-2023-7028, has been assigned the maximum severity score of 10 out of 10. Exploitation of this vulnerability does not require any user interaction. This vulnerability is an authentication issue that allows password reset requests to be sent to arbitrary, unverified email addresses, thereby enabling account takeover. Even if two-factor authentication (2FA) is enabled, an attacker could still reset the password, but the second authentication factor would still be required for successful login.

Taking control of a GitLab account could have serious consequences for an organization, as GitLab is often used to host proprietary code, API keys, and other sensitive data. Another potential risk is supply chain attacks, where attackers could compromise repositories by inserting malicious code into live environments when GitLab is used for CI/CD (Continuous Integration/Continuous Deployment).

This issue was discovered and reported to GitLab by a security researcher known as ‘Asterion’ through the HackerOne bug bounty platform. The vulnerability was first introduced on May 1, 2023, with version 16.1.0. GitLab has addressed this flaw in versions 16.7.2, 16.5.6, and 16.6.4, and the fix has also been backported to 16.1.6, 16.2.9, and 16.3.7. GitLab has not detected any active exploitation of CVE-2023-7028 but has shared signs of compromise for defenders to watch out for.

The second critical vulnerability, identified as CVE-2023-5356, has a severity score of 9.6 out of 10. This vulnerability could be exploited by an attacker to abuse Slack/Mattermost integrations and execute slash commands as another user. In Mattermost, slash commands allow for the integration of external applications into the workspace, while in Slack, they function as shortcuts for invoking apps in the message composer box.

GitLab has also fixed several other flaws in version 16.7.2. For official update resources and instructions, users can visit GitLab’s update page and the GitLab Runner webpage.

Latest News

• Juniper Networks Addresses Critical RCE Vulnerability in Firewalls and Switches
• CISA Warns of Active Exploitation of Critical Microsoft SharePoint Vulnerability
• Microsoft Releases PowerShell Script to Update WinRE and Patch BitLocker Vulnerability
• Critical Vulnerability in Cisco's Unity Connection Software Patched
• Chinese Cyber Actors Exploit Ivanti Connect Secure and Policy Secure Zero-Day Vulnerabilities