GitLab is releasing a patch to fix a vulnerability in its email verification process that bad actors can exploit to reset user passwords and take over accounts.
The flaw, CVE-2023-7028, was introduced in May 2023 in GitLab 16.1.0, in which a change was made that allowed users to reset their password through a secondary email address.
The fix was introduced with the release this month of versions 16.7.2, 16.6.4, 16.5.6 for GitLab Community Edition and Enterprise Edition.
The vulnerability could allow attackers to take over the password reset process by having password reset messages sent to unverified email addresses.
It also could enable threat actors to take over accounts.
The flaw was found via the DevOps platform's bug bounty program.
GitLab has not seen the vulnerability being exploited on platforms it manages, including GitLab.com and GitLab Dedicated instances, Myers wrote.
That's good, because CVE-2023-7028 comes with the maximum severity of 10.0 on the CVS scoring system.
The flaw has a wide reach, affecting users accounts that include logins with usernames and passwords.
Accounts with single sign-on options also are vulnerable, Myers wrote.
Users with two-factor authentication enable aren't vulnerable to an attacker taking over their account, but the bad actor will still be able to reset their password.
That said, they won't be able to access the 2FA method.
The vulnerability affects GitLab CE and EE versions 16.1 through 16.7.1.
GitLab is urging users to upgrade self-managed instances to a patched version using the platform's upgrade path - and not skipping upgrade stops - and to enable 2FA on all GitLab accounts, particularly for users with elevated privileges, such as those with administrator accounts.
The firm also said that organizations need to regularly monitor Gitlab instances for suspicious activity.
The latest release also fixes another high-severity vulnerability - tracked as CVE-2023-5356 and with a CVS rating of 9.6 - that allowed hackers to abuse Slack and Mattermost integrations and execute slash commands as another user.
Developer platforms like GitLab are increasingly being targeted by threat groups looking to launch supply-chain attacks by planting malicious code in software that is then sent downstream to users.
Vendors, industry groups, and government agencies are pushing such protections as software bills-of-materials to ensure the security and safety of components being used in software development.
Most recently, the U.S. Cybersecurity and Infrastructure Security Agency in November 2023 requested public input into another proposal to bolster security in the software supply chain by creating a unified system for software identification to track such information as know vulnerabilities, available security patches, and approved software.
This Cyber News was published on securityboulevard.com. Publication date: Tue, 16 Jan 2024 13:43:16 +0000