GitLab has released security updates for both the Community and Enterprise Edition to address two critical vulnerabilities, one of them allowing account hijacking with no user interaction.
The most critical security issue GitLab patched has the maximum severity score and is being tracked as CVE-2023-7028.
Successful exploitation does not require any interaction.
It is an authentication problem that permits password reset requests to be sent to arbitrary, unverified email addresses, allowing account takeover.
If two-factor authentication is active, it is possible to reset the password but the second authentication factor is still needed for successful login.
Hijacking a GitLab account can have a significant impact on an organization since the platform is typically used to host proprietary code, API keys and other sensitive data.
Another risk is that of supply chain attacks where attackers can compromise repositories by inserting malicious code in live environments when GitLab is used for CI/CD. The issue was discovered and reported to GitLab by security researcher 'Asterion' via the HackerOne bug bounty platform and was introduced on May 1, 2023, with version 16.1.0.
The flaw was addressed in GitLab versions 16.7.2, 16.5.6, and 16.6.4, and the fix has also been backported to 16.1.6, 16.2.9, and 16.3.7.
The second critical problem is identified as CVE-2023-5356 and has a severity score of 9.6 out of 10.
An attacker could exploit it to abuse Slack/Mattermost integrations to execute slash commands as another user.
In Mattermost, slash commands allow integrating external applications into the workspace and in Slack they act as shortcuts for invoking apps in the mesasge composer box.
CVE-2023-4812: High-severity vulnerability in GitLab 15.3 and later, enabling the bypassing of CODEOWNERS approval by making changes to a previously approved merge request.
CVE-2023-6955: Improper access control for Workspaces existing in GitLab prior to 16.7.2, allowing attackers to create a workspace in one group associated with an agent from another group.
CVE-2023-2030: Commit signature validation flaw impacting GitLab CE/EE versions 12.2 and onwards, involving the possibility of modifying the metadata of signed commits due to improper signature validation.
For instructions and official update resources, check out GitLab's update page.
Critical bug in ownCloud file sharing app exposes admin passwords.
Fortinet warns of critical command injection bug in FortiSIEM. Ivanti Connect Secure zero-days exploited to deploy custom malware.
Over 150k WordPress sites at takeover risk via vulnerable plugin.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 12 Jan 2024 19:25:11 +0000