GITLAB - CVE-2023-7028
A critical vulnerability in GitLab can be easily exploited by attackers to reset GitLab user account passwords.
Associated with the reference CVE-2023-7028, this critical security flaw reported through GitLab's Bug Bounty program affects GitLab Community Edition (CE) and Enterprise Edition (EE).
By exploiting this security flaw remotely, and without any user interaction, an attacker could reset the password of a user account in order to take control of it. Exploiting this security flaw will enable the attacker to initiate the password reset process for a user account by receiving the reset link at an e-mail address of his choice. All the attacker has to do is click on the link and set a new password.
CVE-2023-7028 affects self-managed GitLab instances using GitLab Community Edition (CE) and Enterprise Edition (EE) versions:
GitLab has released new versions to correct this security flaw: 16.7.2, 16.6.4 and 16.5.6 for GitLab CE and EE.
You should therefore update your GitLab instance to one of these versions.
In addition to patching your instance, GitLab recommends that you enable MFA as much as possible on user accounts, giving priority to administrator accounts.
This is all the more important as accounts where MFA is configured will be protected from this security flaw thanks to the second authentication factor: an attacker will be able to reset the account password, but will not be able to connect to it because of the second authentication factor.
At Newton Services, we can help you update your instance. Book an appointment with one of our experts.
Source:
Copyright © 2024 All Rights Reserved
France (French)
United States (English)