Due to ongoing exploitation in the wild, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a significant vulnerability affecting GitLab to its Known Exploited Vulnerabilities (KEV) database.
Tracked as CVE-2023-7028 (CVSS score: 10.0), this critical vulnerability could potentially lead to an account takeover by sending password reset emails to an unconfirmed email address.
As disclosed by GitLab earlier this January, the problem originated from a code patch introduced in version 16.1.0 on May 1, 2023.
“All authentication mechanisms are impacted within these versions,” the firm said at the time. “As their second authentication factor is required to login, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover.”
This vulnerability can be successfully leveraged to seize control of a GitLab user account, steal credentials and sensitive data, and even contaminate source code repositories with malicious code, thereby initiating supply chain assaults.
“For example, an attacker gaining access to the CI/CD pipeline configuration could embed malicious code designed to exfiltrate sensitive data, such as Personally Identifiable Information (PII) or authentication tokens, redirecting them to an adversary-controlled server,” cloud security company Mitiga stated in a recent report.
Similarly, tampering with repository code could involve inserting malware that compromises system integrity or establishes backdoors for unauthorized access. The presence of malicious code or abuse of pipelines could lead to supply chain attacks, unauthorized access, code disruptions, and data theft.
The issue has been addressed in GitLab versions 16.5.6, 16.6.4, and 16.7.2, and fixes have also been retroactively applied to versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5.
As of now, CISA has not provided additional details on how attackers are exploiting the vulnerability. To mitigate the ongoing abuse, federal agencies are required to secure their networks by May 22, 2024.
In conclusion, the active exploitation of the serious GitLab password reset vulnerability, tracked as CVE-2023-7028, has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to include it in its Known Exploited Vulnerabilities (KEV) database. This critical flaw, introduced in GitLab version 16.1.0 and disclosed by GitLab in January, poses significant risks, including account takeover, data theft, and supply chain attacks. While fixes have been implemented in newer GitLab versions and retroactively applied to earlier ones, federal agencies are urged to secure their networks by May 22, 2024, to mitigate potential abuse. Despite ongoing exploitation, CISA has yet to provide detailed information on the nature of the attacks. It’s imperative for organizations to remain vigilant and promptly address vulnerabilities to safeguard their systems and sensitive data from malicious actors.
Contact us if you have any questions or concerns.