The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has elevated a critical flaw affecting GitLab to its Known Exploited Vulnerabilities (KEV) catalog due to its ongoing exploitation in live environments.
Identified as CVE-2023-7028 (CVSS score: 10.0), this high-severity vulnerability could facilitate unauthorized account access through the manipulation of password reset emails, targeting unverified email addresses.
GitLab Report
GitLab first disclosed details of this vulnerability in January, revealing that it was introduced through a code alteration in version 16.1.0 on May 1, 2023.
“This vulnerability impacts all authentication mechanisms within these versions,” GitLab stated. “Furthermore, users utilizing two-factor authentication remain susceptible to password reset attempts; however, account takeover requires the additional second authentication factor.”
Successful exploitation of this vulnerability carries significant risks, as it not only grants malicious actors control over GitLab user accounts but also provides opportunities for data theft, credential compromise, and the introduction of malicious code into source code repositories, potentially initiating supply chain attacks.
“For instance, an attacker gaining access to the CI/CD pipeline configuration could implant malicious code aimed at exfiltrating sensitive data, such as Personally Identifiable Information (PII) or authentication tokens, redirecting them to servers under their control,” explained cloud security firm Mitiga in a recent report.
“Similarly, tampering with repository code could involve inserting malware compromising system integrity or introducing backdoors for unauthorized access. Malicious code or abuse of the pipeline could result in data theft, code manipulation, unauthorized access, and supply chain attacks.”
Conclusion
The GitLab team has addressed this flaw in versions 16.5.6, 16.6.4, and 16.7.2, with patches also retroactively applied to versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5.
Although CISA has not disclosed specific details regarding how threat actors are exploiting this vulnerability, it has mandated that federal agencies implement the latest fixes by May 22, 2024, to safeguard their networks against potential exploitation.
Check out more articles about cyber security.
